From b22c44987af40f583a5b2729b33fe3aaed0b7171 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 24 Jul 2019 15:23:50 -0700 Subject: [PATCH 01/43] Updated controller template with proxy partials Signed-off-by: Ivan Sim --- charts/linkerd/.helmignore | 21 +++ charts/linkerd/Chart.yaml | 10 ++ charts/linkerd/templates/NOTES.txt | 0 charts/linkerd/templates/_affinity.tpl | 22 +++ charts/linkerd/templates/_helpers.tpl | 32 ++++ charts/linkerd/templates/_resources.tpl | 22 +++ charts/linkerd/templates/controller-rbac.yaml | 55 +++++++ charts/linkerd/templates/controller.yaml | 142 ++++++++++++++++++ charts/linkerd/templates/namespace.yaml | 15 ++ charts/linkerd/values.yaml | 66 ++++++++ charts/partials/.helmignore | 21 +++ charts/partials/Chart.yaml | 5 + charts/partials/templates/NOTES.txt | 19 +++ charts/partials/templates/_helpers.tpl | 32 ++++ charts/partials/templates/_proxy.tpl | 82 ++++++++++ charts/partials/templates/_volumes.tpl | 5 + charts/partials/values.yaml | 48 ++++++ 17 files changed, 597 insertions(+) create mode 100644 charts/linkerd/.helmignore create mode 100644 charts/linkerd/Chart.yaml create mode 100644 charts/linkerd/templates/NOTES.txt create mode 100644 charts/linkerd/templates/_affinity.tpl create mode 100644 charts/linkerd/templates/_helpers.tpl create mode 100644 charts/linkerd/templates/_resources.tpl create mode 100644 charts/linkerd/templates/controller-rbac.yaml create mode 100644 charts/linkerd/templates/controller.yaml create mode 100644 charts/linkerd/templates/namespace.yaml create mode 100644 charts/linkerd/values.yaml create mode 100644 charts/partials/.helmignore create mode 100644 charts/partials/Chart.yaml create mode 100644 charts/partials/templates/NOTES.txt create mode 100644 charts/partials/templates/_helpers.tpl create mode 100644 charts/partials/templates/_proxy.tpl create mode 100644 charts/partials/templates/_volumes.tpl create mode 100644 charts/partials/values.yaml diff --git a/charts/linkerd/.helmignore b/charts/linkerd/.helmignore new file mode 100644 index 0000000000000..f0c1319444416 --- /dev/null +++ b/charts/linkerd/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/Chart.yaml b/charts/linkerd/Chart.yaml new file mode 100644 index 0000000000000..fe02eca0f9c2b --- /dev/null +++ b/charts/linkerd/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: "v1" +appVersion: stable-2.4.0 +name: "linkerd" +version: 0.1.0 +description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. +keywords: +- service-mesh +home: https://linkerd.io +sources: +- https://github.com/linkerd/linkerd2/ diff --git a/charts/linkerd/templates/NOTES.txt b/charts/linkerd/templates/NOTES.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/charts/linkerd/templates/_affinity.tpl b/charts/linkerd/templates/_affinity.tpl new file mode 100644 index 0000000000000..9bd3ff4fba6e4 --- /dev/null +++ b/charts/linkerd/templates/_affinity.tpl @@ -0,0 +1,22 @@ +{{ define "linkerd.pod-affinity" -}} +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ .Label }} + operator: In + values: + - {{ .Component }} + topologyKey: failure-domain.beta.kubernetes.io/zone + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ .Label }} + operator: In + values: + - {{ .Component }} + topologyKey: kubernetes.io/hostname +{{- end }} diff --git a/charts/linkerd/templates/_helpers.tpl b/charts/linkerd/templates/_helpers.tpl new file mode 100644 index 0000000000000..c0087d71c8dad --- /dev/null +++ b/charts/linkerd/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "linkerd.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "linkerd.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "linkerd.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/linkerd/templates/_resources.tpl b/charts/linkerd/templates/_resources.tpl new file mode 100644 index 0000000000000..cf75912293c20 --- /dev/null +++ b/charts/linkerd/templates/_resources.tpl @@ -0,0 +1,22 @@ +{{/* Specify resource requests and limits for workloads */}} +{{- define "linkerd.resources" -}} +resources: + {{- if or .CPU.Request .Memory.Request }} + requests: + {{- with .CPU.Request }} + cpu: {{.}} + {{- end }} + {{- with .Memory.Request }} + memory: {{.}} + {{- end }} + {{- end }} + {{- if or .CPU.Limit .Memory.Limit }} + limits: + {{- with .CPU.Limit }} + cpu: {{.}} + {{- end }} + {{- with .Memory.Limit }} + memory: {{.}} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/linkerd/templates/controller-rbac.yaml b/charts/linkerd/templates/controller-rbac.yaml new file mode 100644 index 0000000000000..f18c144b53aee --- /dev/null +++ b/charts/linkerd/templates/controller-rbac.yaml @@ -0,0 +1,55 @@ +{{with .Values -}} +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-controller + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-controller + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{end -}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml new file mode 100644 index 0000000000000..1cabddf8abf37 --- /dev/null +++ b/charts/linkerd/templates/controller.yaml @@ -0,0 +1,142 @@ +{{with .Values -}} +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: controller + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: linkerd-controller + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: controller + template: + metadata: + labels: + {{.ControllerComponentLabel}}: controller + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + spec: + serviceAccountName: linkerd-controller + containers: + - name: public-api + ports: + - name: http + containerPort: 8085 + - name: admin-http + containerPort: 9995 + volumeMounts: + - name: config + mountPath: /var/run/linkerd/config + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + args: + - "public-api" + - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.cluster.local:9090" + - "-tap-addr=linkerd-tap.{{.Namespace}}.svc.cluster.local:8088" + - "-controller-namespace={{.Namespace}}" + - "-log-level={{.ControllerLogLevel}}" + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 9995 + failureThreshold: 7 + {{- include "linkerd.resources" .PublicAPIResources | nindent 8 }} + securityContext: + runAsUser: {{.ControllerUID}} + - name: destination + ports: + - name: grpc + containerPort: 8086 + - name: admin-http + containerPort: 9996 + volumeMounts: + - name: config + mountPath: /var/run/linkerd/config + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + args: + - "destination" + - "-addr=:8086" + - "-controller-namespace={{.Namespace}}" + - "-enable-h2-upgrade={{.EnableH2Upgrade}}" + - "-log-level={{.ControllerLogLevel}}" + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 9996 + failureThreshold: 7 + {{- include "linkerd.resources" .DestinationResources | nindent 8 }} + securityContext: + runAsUser: {{.ControllerUID}} + {{- if not .Proxy.Image.Version -}} + {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} + {{ end -}} + {{- include "partials.proxy" .Proxy | nindent 6 -}} + volumes: + - name: config + configMap: + name: linkerd-config + {{- include "partials.proxy-identity-volume" . | nindent 6 -}} + {{- if eq .HighAvailability true -}} + {{- $local := dict "Label" .ControllerComponentLabel "Component" "controller" -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end -}} +{{end -}} diff --git a/charts/linkerd/templates/namespace.yaml b/charts/linkerd/templates/namespace.yaml new file mode 100644 index 0000000000000..0fdd8e58d9b92 --- /dev/null +++ b/charts/linkerd/templates/namespace.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Namespace }} + annotations: + {{.ProxyInjectAnnotation}}: {{.ProxyInjectDisabled}} + labels: + {{.LinkerdNamespaceLabel}}: "true" +{{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml new file mode 100644 index 0000000000000..1042712e36000 --- /dev/null +++ b/charts/linkerd/values.yaml @@ -0,0 +1,66 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +ClusterDomain: &cluster_domain cluster.local +EnableH2Upgrade: true +HighAvailability: &high_availability true +ImagePullPolicy: IfNotPresent +Namespace: &namespace linkerd + +# controller configuration +ControllerReplicas: 1 +ControllerImage: gcr.io/linkerd-io/controller +ControllerLogLevel: info +ControllerUID: 2103 + +# proxy configuration +Proxy: + ClusterDomain: *cluster_domain + EnableExternalProfile: false + HighAvailability: *high_availability + IdentityTrustAnchors: | + -----BEGIN CERTIFICATE----- + MIIBgjCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI0MTY1OTM4WhcNMjAwNzIz + MTY1OTU4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQQiUcsrdv4rhQ9THRlPQrLshFY + YgvHgyAyGfqlrukGR4OsNzv1tX3lNsMZggvqr7skiXozt7R9SwMrTZK7EkU0o0Iw + QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgHKe2J1SooDemPrjC + 4YMyvoEmZ/7lGzeUOcIxN8bGcHwCIEp5zIp8+2QEPfKwS01sW0fjQwHBzV87Dm4G + eHrLH7qz + -----END CERTIFICATE----- + Image: + Name: gcr.io/linkerd-io/proxy + PullPolicy: IfNotPresent + InboundAcceptKeepAlive: 10000ms + LogLevel: warn,linkerd2_proxy=info + ControlPlaneNamespace: *namespace + OutboundAcceptKeepAlive: 10000ms + Port: + Admin: 4191 + Control: 4190 + Inbound: 4143 + Outbound: 4140 + ResourceRequirements: + limits: + cpu: "1" + memory: 250Mi + requests: + cpu: 100m + memory: 20Mi + UID: 2102 + +# proxy-init configuration +ProxyInit: + +# annotations +CreatedByAnnotation: linkerd.io/created-by +ProxyInjectAnnotation: linkerd.io/inject +ProxyInjectDisabled: disabled + +# labels +ControllerComponentLabel: linkerd.io/control-plane-component +ControllerNamespaceLabel: linkerd.io/control-plane-ns +LinkerdNamespaceLabel: linkerd.io/is-control-plane diff --git a/charts/partials/.helmignore b/charts/partials/.helmignore new file mode 100644 index 0000000000000..f0c1319444416 --- /dev/null +++ b/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/partials/Chart.yaml b/charts/partials/Chart.yaml new file mode 100644 index 0000000000000..6158530270ef6 --- /dev/null +++ b/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart containing Linkerd partial templates, depended by the 'linkerd' and 'patch' charts. +name: partials +version: 0.1.0 diff --git a/charts/partials/templates/NOTES.txt b/charts/partials/templates/NOTES.txt new file mode 100644 index 0000000000000..f672e735b8dad --- /dev/null +++ b/charts/partials/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "partials.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "partials.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "partials.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "partials.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/charts/partials/templates/_helpers.tpl b/charts/partials/templates/_helpers.tpl new file mode 100644 index 0000000000000..77a242db1eceb --- /dev/null +++ b/charts/partials/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "partials.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "partials.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "partials.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl new file mode 100644 index 0000000000000..d3af0d0743cab --- /dev/null +++ b/charts/partials/templates/_proxy.tpl @@ -0,0 +1,82 @@ +{{ define "partials.proxy" -}} +- env: + - name: LINKERD2_PROXY_LOG + value: {{.LogLevel}} + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:{{.Port.Control}} + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:{{.Port.Admin}} + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:{{.Port.Outbound}} + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:{{.Port.Inbound}} + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalProfileSuffix := printf "svc.%s" .ClusterDomain }} + value: {{ternary "." $internalProfileSuffix .EnableExternalProfile}} + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: {{.InboundAcceptKeepAlive}} + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: {{.OutboundAcceptKeepAlive}} + - name: _pod_ns + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + {{- .IdentityTrustAnchors | nindent 6 -}} + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: {{.ControlPlaneNamespace}} + - name: _l5d_trustdomain + value: {{.ClusterDomain}} + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: {{.Image.Name}}:{{.Image.Version}} + imagePullPolicy: {{.Image.PullPolicy}} + livenessProbe: + httpGet: + path: /metrics + port: {{.Port.Admin}} + name: linkerd-proxy + ports: + - containerPort: {{.Port.Inbound}} + name: linkerd-proxy + protocol: TCP + - containerPort: {{.Port.Admin}} + name: linkerd-admin + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: {{.Port.Admin}} + {{- if and (eq .HighAvailability true) .ResourceRequirements -}} + resources: + {{- toYaml .ResourceRequirements | trim | nindent 2 -}} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: {{.UID}} + volumeMounts: + - name: linkerd-identity-end-entity + mountPath: /var/run/linkerd/identity/end-entity +{{ end -}} diff --git a/charts/partials/templates/_volumes.tpl b/charts/partials/templates/_volumes.tpl new file mode 100644 index 0000000000000..f3717cbd60af5 --- /dev/null +++ b/charts/partials/templates/_volumes.tpl @@ -0,0 +1,5 @@ +{{ define "partials.proxy-identity-volume" -}} +- name: linkerd-identity-end-entity + emptyDir: + medium: Memory +{{- end -}} diff --git a/charts/partials/values.yaml b/charts/partials/values.yaml new file mode 100644 index 0000000000000..b433518eb1885 --- /dev/null +++ b/charts/partials/values.yaml @@ -0,0 +1,48 @@ +# Default values for partials. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + tag: stable + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 46a81b06a90209a290f8c626c74ae1e8ccc90e4b Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 24 Jul 2019 22:25:57 -0700 Subject: [PATCH 02/43] Declare dependency in requirements.yaml Signed-off-by: Ivan Sim --- charts/linkerd/charts/partials-0.1.0.tgz | Bin 0 -> 2955 bytes charts/linkerd/requirements.lock | 6 ++++++ charts/linkerd/requirements.yaml | 4 ++++ 3 files changed, 10 insertions(+) create mode 100644 charts/linkerd/charts/partials-0.1.0.tgz create mode 100644 charts/linkerd/requirements.lock create mode 100644 charts/linkerd/requirements.yaml diff --git a/charts/linkerd/charts/partials-0.1.0.tgz b/charts/linkerd/charts/partials-0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..319d6bd97aaf0937fbe3edd713422113be5c892b GIT binary patch literal 2955 zcmV;63v~1!iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI?CbJ{q!?`waGb4i{_+gprDnzZAYzF>jwGEIRAG`pRh9Y(Pa zpjMV#NhaY^?q|Ov$p%A0%HEsJ-hC!|k=W+=r=#=#NKT2=lrU9mPKnh1oFweoLysT` zf;Xq9_J0rr+y8^((>KrRC#UtZJ`M8B9AeKt2yW?!Vz<{M;-v-F&w2tN7EyRseF%<1j7PId9#9>z_0s(_jily z-)^k@e@0k_>MscZKk)zK;Pu&-|DV*~ym|8f#~26D!ZFF124?^;7INi%zIOn_DOErf z5cu5qcwQX~nGmfphB0Mm2wE61A`xapQgX#mffjIukP@XZ2FkU7xya-?DEOWyF=aF& zO_6aOLf!LdLM9k`01{K7s1|Y_0-sQR;{j+g2|;Ot?g6A3V|~GBG!LOO?h4(PsE}*V z#*W?$rKB;2P^oz1jImn}J%w^cBRiX(rx-$$WlE#$^bNX@I)t}@=TSb9sFWc?Zsv|d z7!#(@MlLQiF+ovqZ=<&HB*kL1Z(eh zVS5sl$Yg}YDi7dSgiK|Gu{lVLM3NwnfeUT4u2PKXcn)!HQmeOZq}Ku%k{NBvK zDKM(FHJO7oE3ZIh(bP=;k#cGj;X`L^EEHk^*Mx7Zr1V zkoZfc?C*)0fMbM85jlTl*Do;qI0d=8@30&zR?dg$B**=+3VA-{Qvs(Y4DW)A7j*g_!(VDBdN{FCI-N#i*r-3 z%Z%IlUQbaWnD|F{tU_f9ZvXX&NQc{0 zni(3kSb)hd%Vk)rEf(Oza=BRCrZ(xanAOp{OQz7E=begzN>{|#7gASNY~{s(Zz=)D z72cQ{0J^dHi!+0({#X1_jfrJV zX`(ablQ=eVMf)tjSyn6q(NtKyg|*sY&PI5+lGP5ep9>QIM3~9i@;=c6fQddKbTlMn z4w`&LATY*jNGQ*AUY{CkEki=5pBJ5EMkq5z=sPqwK8p+@!r|Jqn)YqCP7vd=l^>Ob zsb&#WulLc*(ONHq_QhqVd53B&+CGZeW4;aL9W4r-v64Uv$1v)n>GJ57=GKgchLtUa z*tP8Rp;fiKhZFUCtx>n}vArdZRK)ulDuW71Q-8B!HZQ)rQ&ej)y}JDxAc7r1j%Be&7dwJ$xIy4U9Qv3SHw<3aqBKF9cx(WcsOV zB4ao#Bn9U6@NH0zWq)D(za#&TrpQv1%Gc?`Yz6$V|33+~^8e|{@#$0ke~htM)Lz1j zCLt))wx>5f{4OzKiKZCB%bE=YwU=J|Cbezc6v23c37)o>u^Y!;PFFR}ALX}Qvbz4+ z_J+ROaJJr8gpqQq4&On`j7M;GVlQbj$i`!O1C{C;%=m}7b__Np5^eHDF^7qpbNH4K zM#mImB+AJm1}H zbq9vlWD}F~U-({U4AMm!2eOKzZWGl$qZ+O$V~?gNwAm9O+qMc4lV!TyZzN#;&UYmhq4)wSG;aK{nHGll5#zU%D+_gU#hZ&=H~q~ zhPLZ^!vIT~H4c++VH>Sl?dGQ9s2I6IcAthVS!L&X%Hnp{`Tjk82Z<>&X|(d66{w6V ze`=wBcU*cJk2CJd|EUx=^9RfRKg|E9r^nm<|7mdc)c-%qSS)Ub9IJm95==mtg&sf^ z+`-&=r~9FO(K;UWFM7Xy9-a4owvCoOJP2X2@Xy8M9B0UE7qH{4R(mk)bQ{A?uR9uC zHb;$C>!J)}H=n0MY2OsnXS;!#z3%X$cRo7r42JFQEu6qs|Xn}Ta8?q#jf z`q=62i`R$~%I`z#eH#AM`_ygi0$eu@1!OPNS0dx_eW;!8y`bA%cK8nw%L?gV^xk*Q z+oQp!_wPHuwFeg3=6cFCN={f`3R5WN*&}?nN=j-L`7SHD7O^D~LV3~JuWZDk$T?K} z$}Uj9ZMTxzHyc0hBa}w7+3pWVAKLAHy{xRDVEB8;s8G1zzc}+3R-O z&E3$2>h8lHr6L}2wSM!x6iJxxRoMFS0>|NM?_%q8zIbd2`}T-vqdB!*^L|=3p40wq zSY85G;ozWo{k?%3rong)is#*xj&mZ{4k0R$n?jX+YDQugOA`fRqc7rlsTEi{P z)Rg5Z+3BX`TAR-!YM&8~t9_eIi#P9Sqo~+MgKdCvq}WSq=e=g*+-{YWp>oSrGcAjwgwz7$vJjCQJZ`ZMang7eex1hu4*DjwQ{`rE14 z$*T~6t!46KedP+7yzNBU-#{p*$z3P_sT5j7f`u?__V0sRGqepx%rAF>NhC4dOB9B3 z{sTeeUAAdKpW`?1f1#6U!|jh#M)llugZRR<#O~nv0>5QcqB}o#5p;bfo#SconIvq- zJFclL1>)lzrnHp_pfJiL)pHX%@FrgvVN6{2C7n@*6Kt!9FycNrE55jJ(&=$FzYs#d zrwr9xX-q=93`dahhWeyXT4{XhwCsE{!LkHD8cSE@N_N{_s~c$wATe*a=(tyE%a5x5 zVa@Yh{hyQAqwW6&^*7t!f1RG3ojvt`k1=-ke`~*R=1}y5`#29Ksh+o}biSQnOtU0} zkM{uEh4CtOH;=sAAm|EKls{hyQi>!GAwxc(YcWvMNvKuwV`m@sh#3DMD%^2sZZXj1nKZK+avPI&Ac0LO{@ z!sK}>aZGP8cAx6~#|s}!atFcfn}#JwQQA-Ie9vzUMguJ*dI!)HNg_C0HU|(>sXTu| zb0gnr-b-I6srT}~ zy#u%;l8Q`0r`1-T36Nhf(w?cDNzKto@#QI;J&mXFH2z8Be*ypi|Nm7HIbi@c0004k B(3AiG literal 0 HcmV?d00001 diff --git a/charts/linkerd/requirements.lock b/charts/linkerd/requirements.lock new file mode 100644 index 0000000000000..b82d2145b2849 --- /dev/null +++ b/charts/linkerd/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:3a86b96a2966f03ba04518723838b49719a3277dfb9bea0b3f067e83d370e0b3 +generated: 2019-07-24T19:51:15.04322926-07:00 diff --git a/charts/linkerd/requirements.yaml b/charts/linkerd/requirements.yaml new file mode 100644 index 0000000000000..a17d782a8b996 --- /dev/null +++ b/charts/linkerd/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: partials + version: 0.1.0 + repository: file://../partials From 242ed736122cabc943ff214e9806ea4691869d4d Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 12:39:56 -0700 Subject: [PATCH 03/43] Add partial template for proxy's metadata Signed-off-by: Ivan Sim --- charts/linkerd/charts/partials-0.1.0.tgz | Bin 2955 -> 3070 bytes charts/linkerd/templates/controller.yaml | 17 ++++++++++++----- charts/linkerd/values.yaml | 5 +++-- charts/partials/templates/_metadata.tpl | 8 ++++++++ 4 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 charts/partials/templates/_metadata.tpl diff --git a/charts/linkerd/charts/partials-0.1.0.tgz b/charts/linkerd/charts/partials-0.1.0.tgz index 319d6bd97aaf0937fbe3edd713422113be5c892b..8248aa60b848a2359ba62eeaf150195bdbca0bda 100644 GIT binary patch delta 3041 zcmV<73m)`~7ycKJJAXQDZ`(MN{j6Ux=j1`!UM-+5ol9K$AIPuO3A(5rwa5(QXWJ;u_gsEC{LZtR*Bw;Tedjvrc zygNCu|AQdd{2v^iyn9hUI;p=s4i4+}qZdK_D5xL3fZ)+7xqoA1N)!1a_&=|;xw#)? zkd$7aR8;T~rge{`Y5B8K_k)TTqlzR=wSCoqpOGaH8C`)$a7`$ud<>_QU!ja4*Cx=I zq>N}(Zy?4Ld5ke!&OlEP4w!>I@Bj#p;UFbCnjAQs%J(=)Ff0%$Z(2|j_;o+<{%&^t zzZ<3fPYKIV{eLA6-~szT436J!+W+D4yJ!1YhgvGRDvYkeCWZwUDzA_?Yq=4?vS~2ud659)CcZG1eE1Mzat)qpr|>i3+*) ztncVeQA!$P2$hOA${4%#(o-m>G_tGdS&AVvS*A3~PTyb`Qit$9@I1=L5|uJw$j#bu z2qVH2TF=FWCdMhM5atUH0ALTUvP+a4%@(Ps<@5cB5v7)!xech9s*=dKy^59@RtyzH zPeQ190Dlvqw50){>YQX1Z%C3d^qGhVGn-&4gx`Mm3}&c;!bqa-T0gorp{kj3Kr3kN zuWh(JiArQL!eWUsQCqm2Khcdm7NgZ8s96?*e|73c{33xAh17LhIwldxD=2ub)DZvolJV?Y2VTBq~5 z!L+{#rI~?I^EsIKvRH(*+I$W^EEe)Reu40 zD8UU~A1ZU-gcILjRlfzl`#dLNQGtAQWiU}5u`EWYl<8NIzEteSUv1FV>2FYG@T&h6 zeNjA)c zpAb445;6l#t`G=}@EQ`zGo9zBMt@sZQ9`GmC!J(UC^JgvJ8W)z6&XZ?!?h_j?QFMC z5TjKsKUig^nnqB)-bF44OSzo4&n`O6J49o#?IM^R)>{+a!Mu+4Hkg_2VyO*stRA$RN7*W618g?6>+Z*giMZBw`GN_O=_180IGx5Wntbbav>CNqF zlq+rc^I>y2SS%`AZ6ZNUVxoz~yox zGqg3Wt!7{5-OX0_+`yV>Vq*R)-|LJ(I#1(}lz!ATQSCdb;hHjL0$8RDou)Q6#OKs* z=j}2w6f9Xu%Qm|oCCpZUop^2nLh)nY(jR`)P8tO<*c1*CVL> zOI81+DjV3`x_?H|wtqdZDd37^jltwCY$H`G-CR{16eE|&?vtX~tdgzf5=@DFJxs{O|bqa5Mft*Z)s6?({jS6gM+} zrN{03Lw<5+GwB$)rg~OQM2sQK=Ncs^at4){D%%98KqZd}6@Pe%-@tFV51o9b@kRJ* z9jjfpS|0h$=YA(4V=P?SZJ)c9cI#GelkFCm&;4J7yfOvTC(7f+!YC=I@1%b8Z2wO(=JPEk7!8G&$s^AXhPdnXD?X%Y5uz%M3 z_3QAo_mge3*nh)AYeuJHe2P0ObuFTnNC@RcYp>LiGFJGNZAksLZ6&vF);{jS zlt#1J?hl5a+Uvr4C?WhaU-G_Uaig?J? za^^=Vl7BGoRoeRU3`b$vyWF^)Q@pl-eS1W_)||3kv)!a@ET{eJV08;zh5Ija0$<(3 z=vKQs=nTFNTb(tvt4)cl$&ApjH0)k&gAWL(#@xI(_e zT6elR$Ea$-D8I;5j2%VJgxo>A?I~`mks^<$M)rUr-&(_M&D4~uOR|%7&CQc0>rwlR za4h?_>l$z7X(OoEdV@^_tDa&fsh#$kjZ@nyT}72^t|G7er4sw=!tzT-@4w8q^Qw4U zp?`1}-8bUgB;l4gS5|p!LN+7lHd-PlABOT#sByP+mWjC$`C<{?k*Mde{gt~qCDihz z1vE~Qqf&h-F3~CNMC1#>91B(kW#)#We~YxqtDc z)3WPL1OaS^Cp-TM>hCu1f1Vs4 zy?w6#o?>jR|CV;))S;*ccQGDJQax)?>1;c}m}W@`pY0vAe^77bM;N93`x9gd9djY^ zvDbLW{!i+g{hy=5`t$kklZ-v+6Mt=rYWQYH_Tq95=Zm~V|P{eKVJD@f;$Lq zXBv_qMQN|r`kvo9AD(L=(c6QjND{%}qInK6mCEzSRM+fZN51D@{+F!TzgoqM$+%|z z6hGCJ*OrJbNpzK^_Uv1EuYGl$dawOUa^=1Db&`6o|J&Px3nHn=6m(i`jwGEIRAG`pRh9Y(Pa zpjMV#NhaY^?q|Ov$p%A0%HEsJ-hC!|k=W+=r=#=#NKT2=lrU9mPKnh1oFweoLysT` zf;Xq9_J0rr+y8^((>KrRC#UtZS!a>^%gPWe}qG33?+ z8k3X}jp`M|m?DochO0T~DZ&wRv_~EQ;V~SgL`TyjhpBvzlLW&8NO`k@o4~L8f%kWd z>)&py{C`GRhJWfW2>?Iv|Ks5G*_QvG)Ze^$^8d#e2hhSX$(ROb05BGE<$b<)0K+L& zKot=9-1vB29SfNdtucl%WoQUm7%?IdW<*kQ#ZZA3aD|W(r7#A{wSc+EwX@7(60i+pYeZgon51}*e3f-5e zkZaGzj@}HVq%nq2sd(dzv0D#4g>ptCJDZ-T7($a}N~7%b4Z4szgtvj`Q9hBVlp#ZI z=8i)c6QqZ=<&HB*kL z1Z(ehVS5sl$Yg}YDi7dSgiK|Gu{lVLM3NwnfeUT4u2PKXcn)!HQmeOZq}Ku%k{NM1a)wKbW8H7l<`Wzp13|B-TP6yZZ>Y%COF0oR0Ytfcf>#@%YQWo|4O6W5ea zEIOmykdXLGrtI&DnSf)2N)b7KW!En;5q9+mQ6||Ot|YOt8Eceqv=;S|pMxfJrK2d# zLVu_SLE>%`Ost30kKcZz`2xRXsP?1xxQKCp3?nV1)vTulLs=N~?|*n68ILKadTxLI zyQ9?8_^ZY$|F5ERt=k*62fn`14>iY+^8eZE)2;mf`t@n>l>Z-N)P49FT}UIT&B-PP zz^99IQ?Sd7+xlKlQ6ZT4M|iA4Z?UKX9e;y=>59f8)8%OrmP<<^37_CCBAa;(3BXkA zbg?iKlHXlDU4Jg2 zD&UI}-0=0TvhYnh@eQi_J@~`tITOnYdHi!+0( z{#X1_jfrJVX`(ablQ=eVMf)tjSyn6q(NtKyg|*sY&PI5+lGP5ep9>QIM3~9i@;=c6 zfQddKbTlMn4w`&LATY*jNGQ*AUVon&Yb`@Ur=J&{WJV}6M(8^O!RT<2Qcb2Yx+#8@vsSIc5r7<5LQ( zrnWBxVFYCQscRx*I4mRu=JoJxP>yAPVf?=%|Bt4~Qk2Tq>BDRV{ILH&3AXb8>B;fw zQ~rO9u~^hz!i**%DAcy6H-A3-E-_+>rWnG@nhgZCmtOlOwQbxK!FYlRp0<~<8^>Nw zS2fKa<+ok3y8hYrhQ8Zyw%%8Sk#egJ-$BcaM{ssxFKIH!#$$Q|mFgPI_=mZ63^pYa zZSqAihl!hW_?8hy#}s4Zh?aHV`xPC!rPpQ-vkV1S7!l*QN+bv$R)4|6EqF|k#R`Z- z*PEg3X>B+AJm1}Hbq9vlWD}F~U-({U4AMm!2eOKzZWGl$qZ+O$V~?gNwAm9O+qMc4lV!TyZzN#;&UYmhq4)wSG;aK{nHGll5#zU z%D+_gU#hZ&=H~q~hJUu}dcy!qnl%oSZ($p)TJ7eh;;0z8LUx~qEm>vfddlK<*ZKZE zdDo;{r_oj_SFAB%2+IJ zha9Va7ZOZBn1vod72Ltxd8hlKebG7|^)GtAeIA|nezuL4J%2n1VX^Sf#pE1k$ZQv| zVEFzj?2!%nX|8eBFF$fyh!e{1L+gDS{?z-_ZS4YFHw^`3FVj~d>3?7J-gnO1qrs>5?>oP>2Nv4qddf9QPFPOR1x02d78$a$Nlt#1J?hi*F+Uvr4C-Oz>V?!z9XA|7$Ie)GK)Nq?B{RoMFS0>|NM?_%q8zIbd2 z`}T-vqdB!*^L|=3p40wqSY85G;oI!F|WjO&^fUy<)I*PUU`394EM%FiG8#*ZTBLhc~W z?kQ}Wks=RgMs|ZTUs}U0&D50TDcR|!cWEa)9?hfq>(Bf+JpMrso2S@5P+>^@?(AF3Yom^MA_d!D5uF?C;+JxT10|{Fl_ek zgMV8yv<*hgFL#1TBr)Af6ozvC13~0nwrN41<2Uesp_6ID?T=GN_1tuW_`2Wr{5JJDF4Aop|On*YV3`dahhWeyXT4{XhwCsE{!LkHD8cSE@ zN_N{_s~c$wATe*a=(tyE%a5x5Va@Yh{hyQAqwW6&^*7t!f1RG3ojvt`k1=-ke`~*R z=1}y5`#29Ksh+o}biSQnOtU0}kM{uEh4CtOH;=sAAm|EKls{ePd6 z`s=6jpGO%7&?nk7+4i$dr+>JfB8RJtvY7G-q$K)ECb<3@RAs3xr$9}SF_wM2| z4MqbkBzgzX6iFgDTs8*~Q>i?ELS}W%{&nno{?&iUn*Ccmm`-ZuPjRbeytW3qBGK0@ zwP#<-d+Dp|)O+b)k+0rMUni;e^1r;DV#lx Xr|~rYN#lP400960RS`L105$*s7zxcA diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 1cabddf8abf37..eb76833e58a1e 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -42,6 +42,11 @@ spec: port: 8086 targetPort: 8086 --- +{{ if not .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "controller" -}} kind: Deployment apiVersion: apps/v1 metadata: @@ -53,16 +58,21 @@ metadata: annotations: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} spec: - replicas: {{.ControllerReplicas}} + replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} selector: matchLabels: {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} template: metadata: labels: {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} annotations: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} spec: serviceAccountName: linkerd-controller containers: @@ -126,9 +136,6 @@ spec: {{- include "linkerd.resources" .DestinationResources | nindent 8 }} securityContext: runAsUser: {{.ControllerUID}} - {{- if not .Proxy.Image.Version -}} - {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} - {{ end -}} {{- include "partials.proxy" .Proxy | nindent 6 -}} volumes: - name: config @@ -136,7 +143,7 @@ spec: name: linkerd-config {{- include "partials.proxy-identity-volume" . | nindent 6 -}} {{- if eq .HighAvailability true -}} - {{- $local := dict "Label" .ControllerComponentLabel "Component" "controller" -}} + {{- $local := dict "Kind" "deployment" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end -}} {{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 1042712e36000..aeba168fc21d9 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -4,12 +4,12 @@ ClusterDomain: &cluster_domain cluster.local EnableH2Upgrade: true -HighAvailability: &high_availability true +HighAvailability: &high_availability false ImagePullPolicy: IfNotPresent Namespace: &namespace linkerd # controller configuration -ControllerReplicas: 1 +ControllerReplicas: 2 ControllerImage: gcr.io/linkerd-io/controller ControllerLogLevel: info ControllerUID: 2103 @@ -17,6 +17,7 @@ ControllerUID: 2103 # proxy configuration Proxy: ClusterDomain: *cluster_domain + DisableIdentity: false EnableExternalProfile: false HighAvailability: *high_availability IdentityTrustAnchors: | diff --git a/charts/partials/templates/_metadata.tpl b/charts/partials/templates/_metadata.tpl new file mode 100644 index 0000000000000..8fe5c100387de --- /dev/null +++ b/charts/partials/templates/_metadata.tpl @@ -0,0 +1,8 @@ +{{- define "partials.proxy.annotations" -}} +linkerd.io/identity-mode: {{ternary "disabled" "default" (eq .DisableIdentity true)}} +linkerd.io/proxy-version: {{.Image.Version}} +{{- end -}} + +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.WorkloadKind}}: {{.Component}} +{{- end -}} From 149cb4651dc080e53f80cd28a6e754e5c6aa6098 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 13:33:21 -0700 Subject: [PATCH 04/43] Add proxy-init partial template Signed-off-by: Ivan Sim --- charts/linkerd/charts/partials-0.1.0.tgz | Bin 3070 -> 3404 bytes charts/linkerd/templates/controller.yaml | 2 ++ charts/linkerd/values.yaml | 39 +++++++++++++++++------ charts/partials/templates/_proxy.tpl | 8 +++-- 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/charts/linkerd/charts/partials-0.1.0.tgz b/charts/linkerd/charts/partials-0.1.0.tgz index 8248aa60b848a2359ba62eeaf150195bdbca0bda..fbdcc1c32d301b60984a70d32136552a7fd9a44c 100644 GIT binary patch delta 3378 zcmV-24bAfY7t9)vJAXUxa~ipl`8i)J9!ONk zwP$@te~MDl1S9Z$Zu4@ zlL$tHDYTx83r&nuR1wS<9ss}|e9bRWax`0{qF&4oVn&o&ZRRGRW~xSFF$|c92{W5uDuUmB_Y7vJfx=j#?pZ&&Hle1OazGWd z_S-hxob8DqK2J@^G7S2D9-W- z8h>G!y00mw)m0sMr{rIF0WWa9(i z)7hy>*k#Ubey=B}5RCsLJW-K1pVxqnAb+Fz1Y zBm;rT1RPa(ZE^tU_1m4{pnrDp?)eK7CSuKCj2db+lToOQ#0Z9@Gh`+z1-<3d#eV{7 z0{&2f8@k^4^T33Yz+hFsg}(>9AY$P|vAQytD34j5Ao$Dlt4v>fyYYh!+PZ@c$_!rh zzoL(7Of6|j6P>GoB#GfG+GoX=g>MOnC&J1ts@Idyo>b! zV7yNRT@5LjfhJ!O2#oLwQp$5(l8l zIgN6q4S(KkE(eQ+zttvE)FdIASlksW@IO;Ub;;7k;hP`~!k`ho4c~@F9dm`Q@ToXf zliQb!Fbp#F)D@8lJTEx~W_t8CtopLQ(Er~O|A!M~8A=uC>|t5~_tyWf!;ScVd=wr% z#s9|`^LhOxOlcZ{LTzh$V}HZ%Qp1*bf)Tu|TSriT>2+=)lwb4gO)ju;pDabNYnFtG@{qw*H*}keVEUVz?MX! zO}r@AFn)6e-*Up}h+<+4(UKl`zo5fz;k8-AY(v2%#>CjI5-GxmrGN8q8y-<)i2@?g z)n;gGT3gM&D7u^N-noG_(Zt03gTU*KKsrz3kSzVEYogj`RKpcz%mlDp89GgEY=|$Y z-Ok%pWGGouNy|37A4{0606X#A1cdU-b4!2pZg;U(=v=bGVOjUcOIp{S{%Ha;Nx2?@ z{|{CBhw?YDxpn`HqJM4syrzH^$r^(xTG&RaR=S0%I4DLgk=-R>3+8X#PnF&7bJ4$t z?;tT_CXD+3>4QJ?|I|i*v|oA}k27wI|I38uff9iG&i{^%4macfQ~m!)<5r)ONpU?3 zDm`xJABvMZn@K0gHPy3PDiVxfKG!HYku&fUs%#U$2fv63K7YKxZxFQIi*7N~_#!-5 z$7^ProOF_tdvrqA6>?zTP`%(rhu6(ay=IJ&hF>>_UUd`PLuUXpStZEpwv-d zmryk=YIMwn#9LNt39hAJi^Z$;=glOge6d)0w-;sl^~xq+)$Ll`#iq>@bpXB(FF4)< z2EKn#WzMcNJ4_{?9I7e@+=1%Khnf^|v50Q*sRitya(}G4gjzkcfbMce;ZUuD*c03G z;K~CiOOUhT;Te9*sYG`uSF=bAh!$T+%C>;H=|D;ex5Z)Kcw)+1E>;By9|Bp{jHt&BNH;#^<{QqN&`FxA}FFilcLHY_{8H zRW$bU!9*w>L~p~lC)*LV`n`*@{^{_vdw$XB-M|ytj%;Y0-nyUPj?o(FuK0@hupL|f z)5SmgpL*?W2v<$x5@qSo@50*c-HCLQ$|BnADv-fh|9$tgGd%zF{(bk?&bdWxdp(rf zIDg0nQj93WqI(d%TQ()sG!9%>!W|K`MM@|yk9L+ivaA&Xe;d-EV~-L$*K03#VM?>r z>I^Q1A3B{u^R)Z9v!R{^Gn#RXnf`#7H5r}WiFhf)R=?Nlw6>!zMRynOVJ4CxSF4%t zrAW&#Vf%|`IEt2MR~xr8%f}XQV6OqT`7Tt&}c6a*gJ!RU6U zchSB0GHiF()UG}yvMzI8FVcf$jaWyX)ZE7%uwI;fI=>h;d##`QXXjP?-?hQv1{b#>Q`C~i zs(ffKYTgXR>otnaWr}N^MFm?NJD?n_VW@`5ZCFgIF0_aRi{PR)xC`BipiN}Nytx&b z$@u9`tT2$Xdl=zv*5Ee?ex~C|)7^|PMT+aa6;ASBv3mQ{h1c2-Bcl6L#M(DceeqlO&ulpbYJ!Zxn2AeBiH;|fk6(dAlYd!H(UvNe=Y%KT z9&jAHUl_c|B#!7cChn(N|8Wq2$-O~vJJXN^8A|)ps=y1{=fiU?Bzk+$5@{+pd~TgX zLZ$M8G1YbZw>T^dF8@o`?cegjWL!6Y%CBn5>nlW;B>tLb_U@zdUIywa^Iis*-+5ol9K$AIPuO3A(5rwa5(QXWJ;u_gsEC{LZtR*Bw;Tedjvrc zygNCu|AQdd{2v^iyn9hUI;p=s4i4+}qZdK_D5xL3fZ)+7xqoA1N)!1a_&=|;xw#)? zkd$7aR8;T~rge{`Y5B8K_k)TTqlzR=wSCoqpOGaH8C`)$a7`$ud<>_QU!ja4*Cx=I zq>N}(Zy?4Ld5ke!&OlEP4w!>I@Bj#p;UFbCnjAQs%J(=)Ff0%$Z(2|j_;o+<{%&^t zzZ<3fPYKIV{eLA6-~szT436J!+W+D4yJ!1YhgvGRDvYkeCWZwUDzA_?Yq=4?vS~2ud659)CcZG1eE1Mzat)qpr|>i3+*) ztncVeQA!$P2$hOA${4%#(o-m>G_tGdS&AVvS*A3~PTyb`Qit$9@I1=L5|uJw$j#bu z2qVH2TF=FWCdMhM5atUH0ALTUvP+a4%@(Ps<@5cB5v7)!xech9s*=dKy^59@RtyzH zPeQ190Dlvqw50){>YQX1Z%C3d^qGhVGn-&4gx`Mm3}&c;!bqa-T0gorp{kj3Kr3kN zuWh(JiArQL!eWUsQCqm2Khcdm7NgZ8s96?*e|73c{33xAh17LhIwldxD=2ub)DZvolJV?Y2VTBq~5 z!L+{#rI~?I^EsIKvRH(*+I$W^EEe)Reu40 zD8UU~A1ZU-gcILjRlfzl`#dLNQGtAQWiU}5u`EWYl<8NIzEteSUv1FV>2FYG@T&h6 zeNjA)c zpAb445;6l#t`G=}@EQ`zGo9zBMt@sZQ9`GmC!J(UC^JgvJ8W)z6&XZ?!?h_j?QFMC z5TjKsKUig^nnqB)-bF44OSzo4&n`O6J49o#?IM^R)>{+a!Mu+4Hkg_2VyO*stRA$RN7*W618g?6>+Z*giMZBw`GN_O=_180IGx5Wntbbav>CNqF zlq+rc^I>y2SS%`AZ6ZNUVxoz~yox zGqg3Wt!7{5-OX0_+`yV>Vq*R)-|LJ(I#1(}lz!ATQSCdb;hHjL0$8RDou)Q6#OKs* z=j}2w6f9Xu%Qm|oCCpZUop^2nLh)nY(jR`)P8tO<*c1*CVL> zOI81+DjV3`x_?H|wtqdZDd37^jltwCY$H`G-CR{16eE|&?vtX~tdgzf5=@DFJxs{O|bqa5Mft*Z)s6?({jS6gM+} zrN{03Lw<5+GwB$)rg~OQM2sQK=Ncs^at4){D%%98KqZd}6@Pe%-@tFV51o9b@kRJ* z9jjfpS|0h$=YA(4V=P?SZJ)c9cI#GelkFCm&;4J7yfOvTC(7f+!YC=I@1%b8Z2wO(=JPEk7!8G&$s^AXhPdnXD?X%Y5uz%M3 z_3QAo_mge3*nh)AYeuJHe2P0ObuFTnNC@RcYp>LiGFJGNZAksLZ6&vF);{jS zlt#1J?hl5a+Uvr4C?WhaU-G_Uaig?J? za^^=Vl7BGoRoeRU3`b$vyWF^)Q@pl-eS1W_)||3kv)!a@ET{eJV08;zh5Ija0$<(3 z=vKQs=nTFNTb(tvt4)cl$&ApjH0)k&gAWL(#@xI(_e zT6elR$Ea$-D8I;5j2%VJgxo>A?I~`mks^<$M)rUr-&(_M&D4~uOR|%7&CQc0>rwlR za4h?_>l$z7X(OoEdV@^_tDa&fsh#$kjZ@nyT}72^t|G7er4sw=!tzT-@4w8q^Qw4U zp?`1}-8bUgB;l4gS5|p!LN+7lHd-PlABOT#sByP+mWjC$`C<{?k*Mde{gt~qCDihz z1vE~Qqf&h-F3~CNMC1#>91B(kW#)#We~YxqtDc z)3WPL1OaS^Cp-TM>hCu1f1Vs4 zy?w6#o?>jR|CV;))S;*ccQGDJQax)?>1;c}m}W@`pY0vAe^77bM;N93`x9gd9djY^ zvDbLW{!i+g{hy=5`t$kklZ-v+6Mt=rYWQYH_Tq95=Zm~V|P{eKVJD@f;$Lq zXBv_qMQN|r`kvo9AD(L=(c6QjND{%}qInK6mCEzSRM+fZN51D@{+F!TzgoqM$+%|z z6hGCJ*OrJbNpzK^_Uv1EuYGl$dawOUa^=1Db&`6o|J&Px3nHn=6m(i` Date: Thu, 25 Jul 2019 13:33:38 -0700 Subject: [PATCH 05/43] Remove partials chart .tgz file Signed-off-by: Ivan Sim --- charts/linkerd/charts/partials-0.1.0.tgz | Bin 3404 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 charts/linkerd/charts/partials-0.1.0.tgz diff --git a/charts/linkerd/charts/partials-0.1.0.tgz b/charts/linkerd/charts/partials-0.1.0.tgz deleted file mode 100644 index fbdcc1c32d301b60984a70d32136552a7fd9a44c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3404 zcmV-S4YTqeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH*Oa~ipl`8MwBs_t^hocyzL9|A)sXPxk*9V-MOmB01CG6aYp-F0C){_TXYd6;K5P zzBE6c)<#06L~Bf7L>U@@HpYxdgej4fTryOk1zaLzL@7*waxGvca=CH}f#*rg7>!9w z9(>I&QF1g}q@rHT4`N1?T5aYgpk}H@V&nFFEpzk@6+}-W zsCxhtp|qs|pyr%p4X;U>F$|c92{W5uDuUmB_Y7vJfx=j#?pZ&&Hle1OazGWd_S-hx zob8DqK2J@^G7S2mTT<`TSI_H7D)(^GDeewU~=y)Uk9~~dQd5Zs!F&Y89AY$P|vAQytD34j5Ao$Dlt4v>fyYYh!+PZ@c$_!rhzoL(7Of6|j z6P>GoB#GfG+GoX=g>MOnC&J1ts@Idyo>b!V7yNRT@5Lj zfhJ!O2#oLwQp$5(-E$zK9%R!r{u4ns&C^Cx}s1%lE6y zRMQx0SG&k%elV>iY`X|%hxOKkw?8js#wrXc4a10!W{dqBl3NiP8B#U` zV)wGuhL+j#4n{QSw}-vv$Ib>jGLh`6s0@6PWx;yJY$m?Dl~pS?y}CJ#a-|J_-fb=i zi-o_{CQ{TSA(~j+6)W&RQ$=;j(#GMNAPmBw5xouHhDIH8g|6_aI98L}my9qBGWFCI zkqJC6IR$2V^fs*evcJ&(-xB|a6J!}m73l0?S^@Xg|F6T1_YkFhD?^45-c!CkUtXoG=f9Z9uGh4<@5R4@l=V@yh+c@?LxSA>cD8Ffvwbg4| z8wRf7Y^|?!Bh^wJzJr!IkKyFC{YcaEd^Doh;MZ2jjD48Tj=+{gqD{Og*D!u_2H$eR z=!jxs4AGJvc)y^-ZsE0A!)!yrCC0?qtr981ho$py8y-<)i2@?g)n;gGT3gM&D7u^N z-noG_(Zt03gTU*KKsrz3kSzVEYogj`RKpcz%mlDp89GgEY=|$Y-Ok%pWGGouNy|37 zA4{0606X#A1cdU-b4!2pZg;U(=v=bGVOjUcOIp{S{%Ha;Nx2?@{|{CBhw?YDxpn`H zqHX)Urhpa68iOfX*hZ>Wx`nDZC`K-k-6dfQ=5O6kmEG=h(Z7f9ATeVmjQaoSgFp2D z)JA`_UwRskGj5Cj%Y^5F5`g>8|Bj9hH{<_P{r^bgR-cneaXkwvJ#Ob8ijzB=NhioP z)w5bE5{zIz*C;uWGw>6tY!ko-zlaGwyufb|wB3ttG1K@WJXptS*R3s&{O0qZo02h> zF72kz-AcQ4t2fDZ3(V)iFG7Ab1=9!0lf}X=)e>nYICA}OSvQUFsjq+HS47cXMOc`t6%;&+t8s9)j9d!An z$awa1aj}SQ@u>yupmMCbgjzkcfbMce;ZUuD*c03G;K~CiOOUhT;Te9*sYG`u zSF=bAh!$T+%C>;H-WSTY`u_*( z{@m;Tk55iE?|&ROj*g%F|6`2#e2e=pJwNiPbNtTsPrJPjowN4gaB$ZD^~>*nes6gGxixII+h=y^!?!2f5w-fg zi?jae@U(k=(dpg56WWe!Xq?`Co@O z+U?zmbd$;=+UzQj!CC)(_p~!S|MdQS_t(z3MQwXMl-oGS22zYD!=if-y<0XV)HDuU zSHc|;v_(oNFOPPXI$J9`E=6}2?qMd9Ay=!J@1;n~Fk$qT`7Tt&}c6a*gJ!RU6UchSB0GHiF()UG}yvMzI8FVcf$ zjaWyX)ZE7%uwI;fI=>h;d##`QXXjP?-?F0*eye$E zkIJg33e8pIAXq7Jur91%$>`@VitQYfA1f5@qWeain}TO2!} z9IRoehRJPMOsX!lhy{z_qBXb+-HM=1WW>C=6`9HS=}xRLkh6Oj;cnL8Hwb>F<4M!q zj4(xt>%A3D@?Wuf`_qNn!&Gs*6o=Rf|2aMhpX$Fy8F%#1S4QZ%=;du>d$rha_}=PT z@!@g!k$TlD$kqGDODF@hV+Vh;fpZH98`!szP=#r1Qt+eM|HH>^_U|0pquu`r8*gs( ze~zB|KaVrE_J3Ak%c(=z585TRVVdb#n@SgYQ%q={M)1)Z;gk9OOO2)d2NPteJ8gLA zHSV+jeqlO&ulpb zYJ!Zxn2AeBiH;|fk6(dAlUYyEmMWF!geTq}a2&f|7`(_Nj_5Te?x$M+aS(vXy+Lq0 z(~txiO8e8Qzzf>v!*eYpdVA0kX(~8;Zk!&p60GFxH-_ ioJrlmN%6;%J9`>W<7xbz#{UEW0RR7l;|uWsL;wI5FsP>h From 8a636205a7d42c459bc661632208300de82e411f Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 13:43:53 -0700 Subject: [PATCH 06/43] Script to lint Helm charts and update their dependencies Signed-off-by: Ivan Sim --- bin/helm.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100755 bin/helm.sh diff --git a/bin/helm.sh b/bin/helm.sh new file mode 100755 index 0000000000000..5fb08e26ab9bb --- /dev/null +++ b/bin/helm.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +set -eu + +bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +rootdir="$( cd $bindir/.. && pwd )" + +helm lint $rootdir/charts/partials + +helm dep up $rootdir/charts/linkerd +helm lint $rootdir/charts/linkerd From fd2d2e40522d921c7ca536210e3e663be3df95fa Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 13:45:06 -0700 Subject: [PATCH 07/43] Update partials chart Chart.yaml Signed-off-by: Ivan Sim --- charts/partials/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/partials/Chart.yaml b/charts/partials/Chart.yaml index 6158530270ef6..ddfb6c2925ef7 100644 --- a/charts/partials/Chart.yaml +++ b/charts/partials/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "1.0" +appVersion: stable-v2.4.0 description: A Helm chart containing Linkerd partial templates, depended by the 'linkerd' and 'patch' charts. name: partials version: 0.1.0 From fd2c04887b05bf4dca8eea9413eedaedc4d98c07 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 14:01:37 -0700 Subject: [PATCH 08/43] Add proxy-init and resource partial templates Signed-off-by: Ivan Sim --- charts/partials/templates/_proxy-init.tpl | 32 +++++++++++++++++++++++ charts/partials/templates/_resource.tpl | 17 ++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 charts/partials/templates/_proxy-init.tpl create mode 100644 charts/partials/templates/_resource.tpl diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 0000000000000..f3d289cd96c80 --- /dev/null +++ b/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,32 @@ +{{- define "partials.proxy-init" -}} +- args: + - --incoming-proxy-port + - {{.Proxy.Port.Inbound | quote}} + - --outgoing-proxy-port + - {{.Proxy.Port.Outbound | quote}} + - --proxy-uid + - {{.Proxy.UID | quote}} + - --inbound-ports-to-ignore + - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .Proxy.Port.IgnoreInboundPorts) "" (ne .Proxy.Port.IgnoreInboundPorts "")}} + - --outbound-ports-to-ignore + - {{.Proxy.Port.IgnoreOutboundPorts | quote}} + image: {{.Image.Name}}:{{.Image.Version}} + imagePullPolicy: {{.Image.PullPolicy}} + name: linkerd-init + resources: + {{- if .ResourceRequirements -}} + {{- toYaml .ResourceRequirements | trim | nindent 4 -}} + {{- else -}} + {{- include "partials.proxy-init.resource" .Proxy | nindent 4 -}} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 +{{- end -}} diff --git a/charts/partials/templates/_resource.tpl b/charts/partials/templates/_resource.tpl new file mode 100644 index 0000000000000..fed12ef4f18f7 --- /dev/null +++ b/charts/partials/templates/_resource.tpl @@ -0,0 +1,17 @@ +{{- define "partials.proxy.resource" -}} +limits: + cpu: "1" + memory: 250Mi +requests: + cpu: 100m + memory: 20Mi +{{- end -}} + +{{- define "partials.proxy-init.resource" -}} +limits: + cpu: 100m + memory: 50Mi +requests: + cpu: 10m + memory: 10Mi +{{- end -}} From f42b053ce1e46c89ba3eea0a11986348b5f82733 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 14:02:56 -0700 Subject: [PATCH 09/43] Replace hard coded namespace variable in proxy env var Signed-off-by: Ivan Sim --- charts/partials/templates/NOTES.txt | 19 ----------- charts/partials/templates/_proxy.tpl | 2 +- charts/partials/values.yaml | 48 ---------------------------- 3 files changed, 1 insertion(+), 68 deletions(-) diff --git a/charts/partials/templates/NOTES.txt b/charts/partials/templates/NOTES.txt index f672e735b8dad..e69de29bb2d1d 100644 --- a/charts/partials/templates/NOTES.txt +++ b/charts/partials/templates/NOTES.txt @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "partials.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "partials.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "partials.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "partials.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index eaad6fbfc59b6..1cc8e58007b84 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -34,7 +34,7 @@ - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 + value: linkerd-identity.{{.ControlPlaneNamespace}}.svc.cluster.local:8080 - name: _pod_sa valueFrom: fieldRef: diff --git a/charts/partials/values.yaml b/charts/partials/values.yaml index b433518eb1885..e69de29bb2d1d 100644 --- a/charts/partials/values.yaml +++ b/charts/partials/values.yaml @@ -1,48 +0,0 @@ -# Default values for partials. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: nginx - tag: stable - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - path: / - hosts: - - chart-example.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} From d72f17ab381a4e058a659e163cc4ac491669d6a0 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 25 Jul 2019 14:04:47 -0700 Subject: [PATCH 10/43] Ignore chart dependencies .tgz files Signed-off-by: Ivan Sim --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index fbc008841f8c5..87f6dfee4f7cc 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ web/app/yarn-error.log .golangci-lint* **/*.gogen* **/*.swp +charts/*/charts/ From c32f62f4e2938cb893bbbd9c008ca8088aa0eb7c Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 20:24:42 -0700 Subject: [PATCH 11/43] Add missing fields and re-order YAML elements to match CLI output Signed-off-by: ihcsim --- charts/linkerd/templates/_affinity.tpl | 6 +- charts/linkerd/templates/controller-rbac.yaml | 2 +- charts/linkerd/templates/controller.yaml | 82 ++++++++++--------- charts/linkerd/templates/namespace.yaml | 2 +- charts/linkerd/values.yaml | 17 +++- charts/partials/templates/_proxy.tpl | 10 ++- charts/partials/templates/_volumes.tpl | 4 +- 7 files changed, 71 insertions(+), 52 deletions(-) diff --git a/charts/linkerd/templates/_affinity.tpl b/charts/linkerd/templates/_affinity.tpl index 9bd3ff4fba6e4..2d3d80451e0fd 100644 --- a/charts/linkerd/templates/_affinity.tpl +++ b/charts/linkerd/templates/_affinity.tpl @@ -2,15 +2,15 @@ affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: + - podAffinityTerm: labelSelector: matchExpressions: - key: {{ .Label }} operator: In values: - {{ .Component }} - topologyKey: failure-domain.beta.kubernetes.io/zone + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: diff --git a/charts/linkerd/templates/controller-rbac.yaml b/charts/linkerd/templates/controller-rbac.yaml index f18c144b53aee..0a199ccec694d 100644 --- a/charts/linkerd/templates/controller-rbac.yaml +++ b/charts/linkerd/templates/controller-rbac.yaml @@ -52,4 +52,4 @@ metadata: labels: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} -{{end -}} +{{- end -}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index c66a9b1457fee..d15be918e0b7b 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -47,16 +47,16 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "controller" -}} -kind: Deployment apiVersion: apps/v1 +kind: Deployment metadata: - name: linkerd-controller - namespace: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} labels: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} - annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + name: linkerd-controller + namespace: {{.Namespace}} spec: replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} selector: @@ -66,86 +66,90 @@ spec: {{- include "partials.proxy.labels" .Proxy | nindent 6}} template: metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} - annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} - {{- include "partials.proxy.annotations" .Proxy| nindent 8}} spec: - serviceAccountName: linkerd-controller + {{- if eq .HighAvailability true -}} + {{- $local := dict "Component" "controller" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} containers: - - name: public-api - ports: - - name: http - containerPort: 8085 - - name: admin-http - containerPort: 9995 - volumeMounts: - - name: config - mountPath: /var/run/linkerd/config - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} - imagePullPolicy: {{.ImagePullPolicy}} - args: + - args: - "public-api" - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.cluster.local:9090" - - "-tap-addr=linkerd-tap.{{.Namespace}}.svc.cluster.local:8088" + - "-tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088" - "-controller-namespace={{.Namespace}}" - "-log-level={{.ControllerLogLevel}}" + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http readinessProbe: + failureThreshold: 7 httpGet: path: /ready port: 9995 - failureThreshold: 7 + {{- if eq .HighAvailability true -}} {{- include "linkerd.resources" .PublicAPIResources | nindent 8 }} + {{- end }} securityContext: runAsUser: {{.ControllerUID}} - - name: destination - ports: - - name: grpc - containerPort: 8086 - - name: admin-http - containerPort: 9996 volumeMounts: - - name: config - mountPath: /var/run/linkerd/config - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} - imagePullPolicy: {{.ImagePullPolicy}} - args: + - mountPath: /var/run/linkerd/config + name: config + - args: - "destination" - "-addr=:8086" - "-controller-namespace={{.Namespace}}" - "-enable-h2-upgrade={{.EnableH2Upgrade}}" - "-log-level={{.ControllerLogLevel}}" + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: path: /ping port: 9996 initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http readinessProbe: + failureThreshold: 7 httpGet: path: /ready port: 9996 - failureThreshold: 7 + {{- if eq .HighAvailability true -}} {{- include "linkerd.resources" .DestinationResources | nindent 8 }} + {{- end }} securityContext: runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config {{- include "partials.proxy" .Proxy | nindent 6 -}} initContainers: {{- include "partials.proxy-init" .ProxyInit | nindent 6 -}} + serviceAccountName: linkerd-controller volumes: - name: config configMap: name: linkerd-config {{- include "partials.proxy-identity-volume" . | nindent 6 -}} - {{- if eq .HighAvailability true -}} - {{- $local := dict "Kind" "deployment" "Label" .ControllerComponentLabel -}} - {{- include "linkerd.pod-affinity" $local | nindent 6 -}} - {{- end -}} {{end -}} diff --git a/charts/linkerd/templates/namespace.yaml b/charts/linkerd/templates/namespace.yaml index 0fdd8e58d9b92..a1da0cca015ac 100644 --- a/charts/linkerd/templates/namespace.yaml +++ b/charts/linkerd/templates/namespace.yaml @@ -12,4 +12,4 @@ metadata: {{.ProxyInjectAnnotation}}: {{.ProxyInjectDisabled}} labels: {{.LinkerdNamespaceLabel}}: "true" -{{end -}} +{{- end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 9fd9c4f6f7baa..a99f70099dbc4 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -4,15 +4,28 @@ ClusterDomain: &cluster_domain cluster.local EnableH2Upgrade: true -HighAvailability: &high_availability false +HighAvailability: &high_availability true ImagePullPolicy: IfNotPresent Namespace: &namespace linkerd # controller configuration -ControllerReplicas: 2 +ControllerReplicas: 3 ControllerImage: gcr.io/linkerd-io/controller ControllerLogLevel: info ControllerUID: 2103 +ControllerResources: &controller_resources + CPU: + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 50Mi + +PublicAPIResources: + <<: *controller_resources + +DestinationResources: + <<: *controller_resources # proxy configuration Proxy: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 1cc8e58007b84..3538dd2222789 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -30,7 +30,7 @@ value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .IdentityTrustAnchors | nindent 6 -}} + {{- .IdentityTrustAnchors | trim | nindent 6 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR @@ -56,6 +56,7 @@ httpGet: path: /metrics port: {{.Port.Admin}} + initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: {{.Port.Inbound}} @@ -68,7 +69,8 @@ httpGet: path: /ready port: {{.Port.Admin}} - {{ if eq .HighAvailability true -}} + initialDelaySeconds: 2 + {{- if eq .HighAvailability true -}} resources: {{- if .ResourceRequirements -}} {{- toYaml .ResourceRequirements | trim | nindent 4 -}} @@ -81,6 +83,6 @@ readOnlyRootFilesystem: true runAsUser: {{.UID}} volumeMounts: - - name: linkerd-identity-end-entity - mountPath: /var/run/linkerd/identity/end-entity + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity {{ end -}} diff --git a/charts/partials/templates/_volumes.tpl b/charts/partials/templates/_volumes.tpl index f3717cbd60af5..62aea8b22d681 100644 --- a/charts/partials/templates/_volumes.tpl +++ b/charts/partials/templates/_volumes.tpl @@ -1,5 +1,5 @@ {{ define "partials.proxy-identity-volume" -}} -- name: linkerd-identity-end-entity - emptyDir: +- emptyDir: medium: Memory + name: linkerd-identity-end-entity {{- end -}} From 3df9a03665f99e1d83543350e2690b71994bc1d5 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 20:42:08 -0700 Subject: [PATCH 12/43] Reuse control plane's resource partial template in 'partials' chart Signed-off-by: ihcsim --- charts/linkerd/templates/_resources.tpl | 16 +++++----- charts/linkerd/values.yaml | 28 ++++++++--------- charts/partials/templates/_proxy-init.tpl | 7 +---- charts/partials/templates/_proxy.tpl | 7 +---- charts/partials/templates/_resource.tpl | 38 +++++++++++++---------- 5 files changed, 45 insertions(+), 51 deletions(-) diff --git a/charts/linkerd/templates/_resources.tpl b/charts/linkerd/templates/_resources.tpl index cf75912293c20..ce5fede579325 100644 --- a/charts/linkerd/templates/_resources.tpl +++ b/charts/linkerd/templates/_resources.tpl @@ -1,21 +1,21 @@ {{/* Specify resource requests and limits for workloads */}} {{- define "linkerd.resources" -}} resources: - {{- if or .CPU.Request .Memory.Request }} - requests: - {{- with .CPU.Request }} + {{- if or .CPU.Limit .Memory.Limit }} + limits: + {{- with .CPU.Limit }} cpu: {{.}} {{- end }} - {{- with .Memory.Request }} + {{- with .Memory.Limit }} memory: {{.}} {{- end }} {{- end }} - {{- if or .CPU.Limit .Memory.Limit }} - limits: - {{- with .CPU.Limit }} + {{- if or .CPU.Request .Memory.Request }} + requests: + {{- with .CPU.Request }} cpu: {{.}} {{- end }} - {{- with .Memory.Limit }} + {{- with .Memory.Request }} memory: {{.}} {{- end }} {{- end }} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index a99f70099dbc4..8a3879c0e76a1 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -60,13 +60,13 @@ Proxy: UID: &proxy_uid 2102 # use this to override the default resource requirements in HA mode - #ResourceRequirements: - #limits: - #cpu: "1" - #memory: 250Mi - #requests: - #cpu: 100m - #memory: 20Mi + ResourceRequirements: + CPU: + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 20Mi # proxy-init configuration ProxyInit: @@ -82,13 +82,13 @@ ProxyInit: UID: *proxy_uid # use this to override the default resource requirements in HA mode - #ResourceRequirements: - #limits: - #cpu: "100m" - #memory: 50Mi - #requests: - #cpu: 10m - #memory: 10Mi + ResourceRequirements: + CPU: + Limit: 100m + Request: 10m + Memory: + Limit: 50Mi + Request: 10Mi # annotations CreatedByAnnotation: linkerd.io/created-by diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index f3d289cd96c80..ee6f5722b7cf7 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -13,12 +13,7 @@ image: {{.Image.Name}}:{{.Image.Version}} imagePullPolicy: {{.Image.PullPolicy}} name: linkerd-init - resources: - {{- if .ResourceRequirements -}} - {{- toYaml .ResourceRequirements | trim | nindent 4 -}} - {{- else -}} - {{- include "partials.proxy-init.resource" .Proxy | nindent 4 -}} - {{- end }} + {{- include "partials.resource" .ResourceRequirements | nindent 2 }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 3538dd2222789..6f610c29bf759 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -71,12 +71,7 @@ port: {{.Port.Admin}} initialDelaySeconds: 2 {{- if eq .HighAvailability true -}} - resources: - {{- if .ResourceRequirements -}} - {{- toYaml .ResourceRequirements | trim | nindent 4 -}} - {{- else -}} - {{- include "partials.proxy.resource" .Proxy | nindent 4 -}} - {{- end }} + {{- include "partials.resource" .ResourceRequirements | nindent 2 -}} {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/partials/templates/_resource.tpl b/charts/partials/templates/_resource.tpl index fed12ef4f18f7..aa5dbf769fb2a 100644 --- a/charts/partials/templates/_resource.tpl +++ b/charts/partials/templates/_resource.tpl @@ -1,17 +1,21 @@ -{{- define "partials.proxy.resource" -}} -limits: - cpu: "1" - memory: 250Mi -requests: - cpu: 100m - memory: 20Mi -{{- end -}} - -{{- define "partials.proxy-init.resource" -}} -limits: - cpu: 100m - memory: 50Mi -requests: - cpu: 10m - memory: 10Mi -{{- end -}} +{{- define "partials.resource" -}} +resources: + {{- if or .CPU.Limit .Memory.Limit }} + limits: + {{- with .CPU.Limit }} + cpu: {{.}} + {{- end }} + {{- with .Memory.Limit }} + memory: {{.}} + {{- end }} + {{- end }} + {{- if or .CPU.Request .Memory.Request }} + requests: + {{- with .CPU.Request }} + cpu: {{.}} + {{- end }} + {{- with .Memory.Request }} + memory: {{.}} + {{- end }} + {{- end }} +{{- end }} From 921e505ce590b93fd45d579bf3bbf00b30bc2b24 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 21:21:43 -0700 Subject: [PATCH 13/43] Set the proxy's destination service address env var Signed-off-by: ihcsim --- charts/partials/templates/_proxy.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 6f610c29bf759..89905af30c759 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -3,7 +3,7 @@ - name: LINKERD2_PROXY_LOG value: {{.LogLevel}} - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: localhost.:8086 + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .ControlPlaneNamespace .ClusterDomain) (eq .Component "controller")}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:{{.Port.Control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR From d4ae6ffddbcfa9c76abb59e474bf8fc6a7189151 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 21:22:30 -0700 Subject: [PATCH 14/43] Add Grafana's template Signed-off-by: ihcsim --- charts/linkerd/templates/controller.yaml | 2 +- charts/linkerd/templates/grafana-rbac.yaml | 15 ++ charts/linkerd/templates/grafana.yaml | 166 +++++++++++++++++++++ charts/linkerd/values.yaml | 7 +- 4 files changed, 187 insertions(+), 3 deletions(-) create mode 100644 charts/linkerd/templates/grafana-rbac.yaml create mode 100644 charts/linkerd/templates/grafana.yaml diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index d15be918e0b7b..59278af9548a8 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -145,7 +145,7 @@ spec: name: config {{- include "partials.proxy" .Proxy | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 -}} + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} serviceAccountName: linkerd-controller volumes: - name: config diff --git a/charts/linkerd/templates/grafana-rbac.yaml b/charts/linkerd/templates/grafana-rbac.yaml new file mode 100644 index 0000000000000..e1803535e24b4 --- /dev/null +++ b/charts/linkerd/templates/grafana-rbac.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml new file mode 100644 index 0000000000000..f5347e4cd2eb4 --- /dev/null +++ b/charts/linkerd/templates/grafana.yaml @@ -0,0 +1,166 @@ +{{with .Values -}} +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +{{ if not .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-grafana" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-grafana + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: {{.GrafanaImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + {{- if eq .HighAvailability true -}} + {{- include "linkerd.resources" .GrafanaResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + {{- include "partials.proxy-identity-volume" . | nindent 6 -}} +{{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 8a3879c0e76a1..210e0c535e773 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -20,13 +20,16 @@ ControllerResources: &controller_resources Memory: Limit: 250Mi Request: 50Mi - PublicAPIResources: <<: *controller_resources - DestinationResources: <<: *controller_resources +# grafana configuration +GrafanaImage: gcr.io/linkerd-io/grafana +GrafanaResources: + <<: *controller_resources + # proxy configuration Proxy: ClusterDomain: *cluster_domain From 27f76de74c468b599249f1994c1f6283d912ef49 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 21:31:49 -0700 Subject: [PATCH 15/43] Update api version of controller RBAC Signed-off-by: ihcsim --- charts/linkerd/templates/controller-rbac.yaml | 4 ++-- charts/linkerd/templates/grafana.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/linkerd/templates/controller-rbac.yaml b/charts/linkerd/templates/controller-rbac.yaml index 0a199ccec694d..e122f4610692c 100644 --- a/charts/linkerd/templates/controller-rbac.yaml +++ b/charts/linkerd/templates/controller-rbac.yaml @@ -5,7 +5,7 @@ ### --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-controller labels: @@ -29,7 +29,7 @@ rules: verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-controller labels: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index f5347e4cd2eb4..2382c9c0135fa 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -119,7 +119,7 @@ spec: - env: - name: GF_PATHS_DATA value: /data - image: {{.GrafanaImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.GrafanaImage}}:{{default $.Chart.AppVersion .GrafanaImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: From e164da63f6f78715220427064417ce0312ec4cb6 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 21:42:52 -0700 Subject: [PATCH 16/43] Add Heartbeat template Signed-off-by: ihcsim --- charts/linkerd/templates/heartbeat-rbac.yaml | 44 ++++++++++++++++++++ charts/linkerd/templates/heartbeat.yaml | 44 ++++++++++++++++++++ charts/linkerd/values.yaml | 5 +++ 3 files changed, 93 insertions(+) create mode 100644 charts/linkerd/templates/heartbeat-rbac.yaml create mode 100644 charts/linkerd/templates/heartbeat.yaml diff --git a/charts/linkerd/templates/heartbeat-rbac.yaml b/charts/linkerd/templates/heartbeat-rbac.yaml new file mode 100644 index 0000000000000..cded3e5be7b47 --- /dev/null +++ b/charts/linkerd/templates/heartbeat-rbac.yaml @@ -0,0 +1,44 @@ +{{with .Values -}} +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: heartbeat + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml new file mode 100644 index 0000000000000..cb1678843d03a --- /dev/null +++ b/charts/linkerd/templates/heartbeat.yaml @@ -0,0 +1,44 @@ +{{with .Values -}} +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: heartbeat + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + schedule: "{{.HeartbeatSchedule}}" + jobTemplate: + spec: + template: + metadata: + labels: + {{.ControllerComponentLabel}}: heartbeat + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + spec: + serviceAccountName: linkerd-heartbeat + restartPolicy: OnFailure + containers: + - name: heartbeat + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090" + - "-controller-namespace={{.Namespace}}" + - "-log-level={{.ControllerLogLevel}}" + {{- if eq .HighAvailability true -}} + {{- include "linkerd.resources" .HeartbeatResources | nindent 12 }} + {{- end -}} + securityContext: + runAsUser: {{.ControllerUID}} +{{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 210e0c535e773..11dd5cf55f218 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -30,6 +30,11 @@ GrafanaImage: gcr.io/linkerd-io/grafana GrafanaResources: <<: *controller_resources +# heartbeat configuration +HeartbeatSchedule: "21 3 * * * " +HeartbeatResources: + <<: *controller_resources + # proxy configuration Proxy: ClusterDomain: *cluster_domain From d426b5e1eb87bd54d6573f17610f4fc813d5f915 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Thu, 25 Jul 2019 23:30:55 -0700 Subject: [PATCH 17/43] Remove duplicated resources partial template Signed-off-by: ihcsim --- charts/linkerd/templates/controller.yaml | 4 ++-- charts/linkerd/templates/grafana.yaml | 2 +- charts/linkerd/templates/heartbeat.yaml | 2 +- charts/partials/templates/_proxy-init.tpl | 2 +- charts/partials/templates/_proxy.tpl | 2 +- charts/partials/templates/_resource.tpl | 21 ------------------- .../templates/_resources.tpl | 5 ++--- 7 files changed, 8 insertions(+), 30 deletions(-) delete mode 100644 charts/partials/templates/_resource.tpl rename charts/{linkerd => partials}/templates/_resources.tpl (78%) diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 59278af9548a8..73eea00f62867 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -104,7 +104,7 @@ spec: path: /ready port: 9995 {{- if eq .HighAvailability true -}} - {{- include "linkerd.resources" .PublicAPIResources | nindent 8 }} + {{- include "partials.resources" .PublicAPIResources | nindent 8 }} {{- end }} securityContext: runAsUser: {{.ControllerUID}} @@ -136,7 +136,7 @@ spec: path: /ready port: 9996 {{- if eq .HighAvailability true -}} - {{- include "linkerd.resources" .DestinationResources | nindent 8 }} + {{- include "partials.resources" .DestinationResources | nindent 8 }} {{- end }} securityContext: runAsUser: {{.ControllerUID}} diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index 2382c9c0135fa..7ddf201ebce8d 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -135,7 +135,7 @@ spec: path: /api/health port: 3000 {{- if eq .HighAvailability true -}} - {{- include "linkerd.resources" .GrafanaResources | nindent 8 }} + {{- include "partials.resources" .GrafanaResources | nindent 8 }} {{- end }} securityContext: runAsUser: 472 diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index cb1678843d03a..cd9e2bd72b58a 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -37,7 +37,7 @@ spec: - "-controller-namespace={{.Namespace}}" - "-log-level={{.ControllerLogLevel}}" {{- if eq .HighAvailability true -}} - {{- include "linkerd.resources" .HeartbeatResources | nindent 12 }} + {{- include "partials.resources" .HeartbeatResources | nindent 12 }} {{- end -}} securityContext: runAsUser: {{.ControllerUID}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index ee6f5722b7cf7..6067fbb954b6d 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -13,7 +13,7 @@ image: {{.Image.Name}}:{{.Image.Version}} imagePullPolicy: {{.Image.PullPolicy}} name: linkerd-init - {{- include "partials.resource" .ResourceRequirements | nindent 2 }} + {{- include "partials.resources" .ResourceRequirements | nindent 2 }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 89905af30c759..6e5f777e5674b 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -71,7 +71,7 @@ port: {{.Port.Admin}} initialDelaySeconds: 2 {{- if eq .HighAvailability true -}} - {{- include "partials.resource" .ResourceRequirements | nindent 2 -}} + {{- include "partials.resources" .ResourceRequirements | nindent 2 -}} {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/partials/templates/_resource.tpl b/charts/partials/templates/_resource.tpl deleted file mode 100644 index aa5dbf769fb2a..0000000000000 --- a/charts/partials/templates/_resource.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{- define "partials.resource" -}} -resources: - {{- if or .CPU.Limit .Memory.Limit }} - limits: - {{- with .CPU.Limit }} - cpu: {{.}} - {{- end }} - {{- with .Memory.Limit }} - memory: {{.}} - {{- end }} - {{- end }} - {{- if or .CPU.Request .Memory.Request }} - requests: - {{- with .CPU.Request }} - cpu: {{.}} - {{- end }} - {{- with .Memory.Request }} - memory: {{.}} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/linkerd/templates/_resources.tpl b/charts/partials/templates/_resources.tpl similarity index 78% rename from charts/linkerd/templates/_resources.tpl rename to charts/partials/templates/_resources.tpl index ce5fede579325..be4eb4381a7b6 100644 --- a/charts/linkerd/templates/_resources.tpl +++ b/charts/partials/templates/_resources.tpl @@ -1,5 +1,4 @@ -{{/* Specify resource requests and limits for workloads */}} -{{- define "linkerd.resources" -}} +{{- define "partials.resources" -}} resources: {{- if or .CPU.Limit .Memory.Limit }} limits: @@ -19,4 +18,4 @@ resources: memory: {{.}} {{- end }} {{- end }} -{{- end -}} +{{- end }} From 48cd88dd0c93975692e5cea71149603bfe24bd85 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Sun, 28 Jul 2019 16:15:42 -0700 Subject: [PATCH 18/43] Add remainder control plane components templates Signed-off-by: ihcsim --- charts/linkerd/Chart.yaml | 7 +- charts/linkerd/templates/controller.yaml | 30 +-- charts/linkerd/templates/grafana.yaml | 4 +- charts/linkerd/templates/heartbeat.yaml | 6 +- charts/linkerd/templates/identity-rbac.yaml | 45 ++++ charts/linkerd/templates/identity.yaml | 127 ++++++++++++ charts/linkerd/templates/prometheus-rbac.yaml | 43 ++++ charts/linkerd/templates/prometheus.yaml | 193 ++++++++++++++++++ .../templates/proxy-injector-rbac.yaml | 95 +++++++++ charts/linkerd/templates/proxy-injector.yaml | 107 ++++++++++ charts/linkerd/templates/psp.yaml | 115 +++++++++++ .../linkerd/templates/serviceprofile-crd.yaml | 31 +++ .../linkerd/templates/sp-validator-rbac.yaml | 85 ++++++++ charts/linkerd/templates/sp-validator.yaml | 102 +++++++++ charts/linkerd/templates/tap-rbac.yaml | 49 +++++ charts/linkerd/templates/tap.yaml | 96 +++++++++ .../linkerd/templates/trafficsplit-crd.yaml | 31 +++ charts/linkerd/templates/web-rbac.yaml | 15 ++ charts/linkerd/templates/web.yaml | 102 +++++++++ charts/linkerd/values.yaml | 104 +++++++--- charts/partials/templates/_proxy-init.tpl | 1 + charts/partials/templates/_proxy.tpl | 24 ++- charts/partials/templates/_volumes.tpl | 2 +- 23 files changed, 1356 insertions(+), 58 deletions(-) create mode 100644 charts/linkerd/templates/identity-rbac.yaml create mode 100644 charts/linkerd/templates/identity.yaml create mode 100644 charts/linkerd/templates/prometheus-rbac.yaml create mode 100644 charts/linkerd/templates/prometheus.yaml create mode 100644 charts/linkerd/templates/proxy-injector-rbac.yaml create mode 100644 charts/linkerd/templates/proxy-injector.yaml create mode 100644 charts/linkerd/templates/psp.yaml create mode 100644 charts/linkerd/templates/serviceprofile-crd.yaml create mode 100644 charts/linkerd/templates/sp-validator-rbac.yaml create mode 100644 charts/linkerd/templates/sp-validator.yaml create mode 100644 charts/linkerd/templates/tap-rbac.yaml create mode 100644 charts/linkerd/templates/tap.yaml create mode 100644 charts/linkerd/templates/trafficsplit-crd.yaml create mode 100644 charts/linkerd/templates/web-rbac.yaml create mode 100644 charts/linkerd/templates/web.yaml diff --git a/charts/linkerd/Chart.yaml b/charts/linkerd/Chart.yaml index fe02eca0f9c2b..91ccfe5e4454c 100644 --- a/charts/linkerd/Chart.yaml +++ b/charts/linkerd/Chart.yaml @@ -1,10 +1,11 @@ apiVersion: "v1" appVersion: stable-2.4.0 -name: "linkerd" -version: 0.1.0 description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. +home: https://linkerd.io keywords: - service-mesh -home: https://linkerd.io +kubeVersion: ">=1.12.0-0" +name: "linkerd" sources: - https://github.com/linkerd/linkerd2/ +version: 0.1.0 diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 73eea00f62867..92c868ecacfeb 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -42,11 +42,11 @@ spec: port: 8086 targetPort: 8086 --- -{{ if not .Proxy.Image.Version -}} +{{ if empty .Proxy.Image.Version -}} {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} -{{ $_ := set .Proxy "Component" "controller" -}} +{{ $_ := set .Proxy "Component" "linkerd-controller" -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -80,11 +80,11 @@ spec: {{- end }} containers: - args: - - "public-api" - - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.cluster.local:9090" - - "-tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088" - - "-controller-namespace={{.Namespace}}" - - "-log-level={{.ControllerLogLevel}}" + - public-api + - -prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090 + - -tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088 + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: @@ -112,11 +112,11 @@ spec: - mountPath: /var/run/linkerd/config name: config - args: - - "destination" - - "-addr=:8086" - - "-controller-namespace={{.Namespace}}" - - "-enable-h2-upgrade={{.EnableH2Upgrade}}" - - "-log-level={{.ControllerLogLevel}}" + - destination + - -addr=:8086 + - -controller-namespace={{.Namespace}} + - -enable-h2-upgrade={{.EnableH2Upgrade}} + - -log-level={{.ControllerLogLevel}} image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: @@ -148,8 +148,8 @@ spec: {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} serviceAccountName: linkerd-controller volumes: - - name: config - configMap: + - configMap: name: linkerd-config - {{- include "partials.proxy-identity-volume" . | nindent 6 -}} + name: config + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} {{end -}} diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index 7ddf201ebce8d..ec1ce67b0d70b 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -83,7 +83,7 @@ spec: port: 3000 targetPort: 3000 --- -{{ if not .Proxy.Image.Version -}} +{{ if empty .Proxy.Image.Version -}} {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} @@ -162,5 +162,5 @@ spec: path: provisioning/dashboards/dashboards.yaml name: linkerd-grafana-config name: grafana-config - {{- include "partials.proxy-identity-volume" . | nindent 6 -}} + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} {{end -}} diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index cd9e2bd72b58a..42388b1bbf7bd 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -36,9 +36,11 @@ spec: - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090" - "-controller-namespace={{.Namespace}}" - "-log-level={{.ControllerLogLevel}}" + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} {{- if eq .HighAvailability true -}} {{- include "partials.resources" .HeartbeatResources | nindent 12 }} - {{- end -}} + {{- end }} securityContext: runAsUser: {{.ControllerUID}} -{{end -}} +{{- end -}} diff --git a/charts/linkerd/templates/identity-rbac.yaml b/charts/linkerd/templates/identity-rbac.yaml new file mode 100644 index 0000000000000..4d70f95804380 --- /dev/null +++ b/charts/linkerd/templates/identity-rbac.yaml @@ -0,0 +1,45 @@ +{{with .Values -}} +{{if .Identity -}} +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-identity + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-identity + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml new file mode 100644 index 0000000000000..dd94f38b8e398 --- /dev/null +++ b/charts/linkerd/templates/identity.yaml @@ -0,0 +1,127 @@ +{{with .Values -}} +{{if .Identity -}} +--- +### +### Identity Controller Service +### +{{ if .Identity.Issuer -}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- if .Identity.Issuer.CrtExpiryAnnotation}} + {{.Identity.Issuer.CrtExpiryAnnotation}}: {{required "Please provide the identity issuer certificate expiry date" .Identity.Issuer.CrtExpiry}} + {{- end}} +data: + crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Identity.Issuer.CrtPEM)}} + key.pem: {{b64enc (required "Please provide the identity issue private key" .Identity.Issuer.KeyPEM)}} +{{- end}} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-identity" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-identity + namespace: {{.Namespace}} +spec: + replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if eq .HighAvailability true -}} + {{- $local := dict "Component" "identity" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - identity + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .Identity.Resources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} +{{end -}} +{{end -}} diff --git a/charts/linkerd/templates/prometheus-rbac.yaml b/charts/linkerd/templates/prometheus-rbac.yaml new file mode 100644 index 0000000000000..26e37adf1f40a --- /dev/null +++ b/charts/linkerd/templates/prometheus-rbac.yaml @@ -0,0 +1,43 @@ +{{with .Values -}} +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-prometheus + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-prometheus + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml new file mode 100644 index 0000000000000..5b8653797c993 --- /dev/null +++ b/charts/linkerd/templates/prometheus.yaml @@ -0,0 +1,193 @@ +{{with .Values -}} +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['{{.Namespace}}'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['{{.Namespace}}'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^{{default .ProxyContainerName "linkerd-proxy" .ProxyContainerName}};linkerd-admin;{{.Namespace}}$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-prometheus" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-prometheus + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level={{lower .PrometheusLogLevel}} + image: {{.PrometheusImage}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .PrometheusResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} +{{ end -}} diff --git a/charts/linkerd/templates/proxy-injector-rbac.yaml b/charts/linkerd/templates/proxy-injector-rbac.yaml new file mode 100644 index 0000000000000..1156c297c0cad --- /dev/null +++ b/charts/linkerd/templates/proxy-injector-rbac.yaml @@ -0,0 +1,95 @@ +{{with .Values -}} +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-proxy-injector + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-proxy-injector + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Namespace}}-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: {{ .Namespace }} + labels: + {{ .ControllerComponentLabel }}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-proxy-injector.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: linkerd.io/is-control-plane + operator: DoesNotExist + clientConfig: + service: + name: linkerd-proxy-injector + namespace: {{ .Namespace }} + path: "/" + caBundle: {{ b64enc $ca.Cert }} + failurePolicy: {{ternary "Fail" "Ignore" (eq .HighAvailability true)}} + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + {{- if empty .OmitWebhookSideEffects }} + sideEffects: None + {{- end -}} +{{end -}} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml new file mode 100644 index 0000000000000..6c1386223387a --- /dev/null +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -0,0 +1,107 @@ +{{with .Values -}} +--- +### +### Proxy Injector +### +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-proxy-injector" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-proxy-injector + namespace: {{.Namespace}} +spec: + replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if eq .HighAvailability true -}} + {{- $local := dict "Component" "proxy-injector" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - proxy-injector + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .ProxyInjectorResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + {{- include "partials.proxy.volumes.identity" . | nindent 6 }} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +{{- end -}} diff --git a/charts/linkerd/templates/psp.yaml b/charts/linkerd/templates/psp.yaml new file mode 100644 index 0000000000000..f89d2c518de9f --- /dev/null +++ b/charts/linkerd/templates/psp.yaml @@ -0,0 +1,115 @@ +{{with .Values -}} +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Namespace}}-control-plane + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + {{- if empty .NoInitContainer }} + allowedCapabilities: + - NET_ADMIN + - NET_RAW + {{- end}} + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + {{- if .NoInitContainer }} + rule: MustRunAsNonRoot + {{- else }} + rule: RunAsAny + {{- end }} + supplementalGroups: + rule: MustRunAs + ranges: + {{- if .NoInitContainer }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + fsGroup: + rule: MustRunAs + ranges: + {{- if .NoInitContainer }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-grafana + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/serviceprofile-crd.yaml b/charts/linkerd/templates/serviceprofile-crd.yaml new file mode 100644 index 0000000000000..1d6ac4bfd21ca --- /dev/null +++ b/charts/linkerd/templates/serviceprofile-crd.yaml @@ -0,0 +1,31 @@ +{{with .Values -}} +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +{{- end -}} diff --git a/charts/linkerd/templates/sp-validator-rbac.yaml b/charts/linkerd/templates/sp-validator-rbac.yaml new file mode 100644 index 0000000000000..2f24283cfdbf0 --- /dev/null +++ b/charts/linkerd/templates/sp-validator-rbac.yaml @@ -0,0 +1,85 @@ +{{with .Values -}} +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-sp-validator + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-sp-validator + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: {{.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Namespace}}-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: {{ .Namespace }} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-sp-validator.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +webhooks: +- name: linkerd-sp-validator.linkerd.io + clientConfig: + service: + name: linkerd-sp-validator + namespace: {{ .Namespace }} + path: "/" + caBundle: {{ b64enc $ca.Cert }} + failurePolicy: {{ternary "Fail" "Ignore" (eq .HighAvailability true)}} + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + {{- if empty .OmitWebhookSideEffects }} + sideEffects: None + {{- end -}} +{{end -}} diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml new file mode 100644 index 0000000000000..02715de8778dd --- /dev/null +++ b/charts/linkerd/templates/sp-validator.yaml @@ -0,0 +1,102 @@ +{{with .Values -}} +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-sp-validator" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-sp-validator + namespace: {{.Namespace}} +spec: + replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if eq .HighAvailability true -}} + {{- $local := dict "Component" "sp-validator" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - sp-validator + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .SPValidatorResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} +{{end -}} diff --git a/charts/linkerd/templates/tap-rbac.yaml b/charts/linkerd/templates/tap-rbac.yaml new file mode 100644 index 0000000000000..8222db6c8e5a7 --- /dev/null +++ b/charts/linkerd/templates/tap-rbac.yaml @@ -0,0 +1,49 @@ +{{with .Values -}} +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-tap + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-tap + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml new file mode 100644 index 0000000000000..7320a14c4a547 --- /dev/null +++ b/charts/linkerd/templates/tap.yaml @@ -0,0 +1,96 @@ +{{with .Values -}} +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-tap" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-tap + namespace: {{.Namespace}} +spec: + replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if eq .HighAvailability true -}} + {{- $local := dict "Component" "tap" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - tap + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .TapResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-tap + volumes: + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} +{{- end -}} diff --git a/charts/linkerd/templates/trafficsplit-crd.yaml b/charts/linkerd/templates/trafficsplit-crd.yaml new file mode 100644 index 0000000000000..b2c4e3f5b4e38 --- /dev/null +++ b/charts/linkerd/templates/trafficsplit-crd.yaml @@ -0,0 +1,31 @@ +{{with .Values -}} +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +{{- end -}} diff --git a/charts/linkerd/templates/web-rbac.yaml b/charts/linkerd/templates/web-rbac.yaml new file mode 100644 index 0000000000000..32b6a3b39859f --- /dev/null +++ b/charts/linkerd/templates/web-rbac.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Web RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml new file mode 100644 index 0000000000000..25077f0dbb6e7 --- /dev/null +++ b/charts/linkerd/templates/web.yaml @@ -0,0 +1,102 @@ +{{with .Values -}} +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-web" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-web + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - args: + - -api-addr=linkerd-controller-api.{{.Namespace}}.svc.{{.ClusterDomain}}:8085 + - -grafana-addr=linkerd-grafana.{{.Namespace}}.svc.{{.ClusterDomain}}:3000 + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} + image: {{.WebImage}}:{{default $.Chart.AppVersion .WebImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + {{- if eq .HighAvailability true -}} + {{- include "partials.resources" .WebResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + {{- include "partials.proxy" .Proxy | nindent 6 -}} + initContainers: + {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} +{{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 11dd5cf55f218..d960d6d1a74df 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -4,26 +4,59 @@ ClusterDomain: &cluster_domain cluster.local EnableH2Upgrade: true -HighAvailability: &high_availability true +HighAvailability: &high_availability false ImagePullPolicy: IfNotPresent Namespace: &namespace linkerd # controller configuration -ControllerReplicas: 3 ControllerImage: gcr.io/linkerd-io/controller -ControllerLogLevel: info -ControllerUID: 2103 +ControllerLogLevel: &controller_log_level info +ControllerReplicas: 3 ControllerResources: &controller_resources - CPU: + CPU: &controller_resources_cpu Limit: "1" Request: 100m - Memory: + Memory: &controller_resources_memory Limit: 250Mi Request: 50Mi -PublicAPIResources: - <<: *controller_resources +ControllerUID: 2103 DestinationResources: <<: *controller_resources +PublicAPIResources: + <<: *controller_resources + +# identity configuration +Identity: + Issuer: + # PEM encoded certificate + CrtPEM: | + -----BEGIN CERTIFICATE----- + MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 + MDMxNzA4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATwPFIAEAosip9WpovFw3MrJQ3W + NqCzU54MXTMUEaNQBNcHyzz8xfZ2vZY56TQQod3HQ8dEcPwRNgTFJxgzdt03o0Iw + QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJpWjlDgXGo8hgvr + WX/H+QmI4sSA3EiW1J9ZNweS94UsAiB9IN9rkv/b47tYsynZCpLTzSeF7+16VdyI + DT1weqC2Vg== + -----END CERTIFICATE----- + + # Must match the expiry date in CrtPEM + CrtExpiry: 2020-07-25T03:17:08Z + CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry + + # PEM encode ECDSA private key + KeyPEM: | + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEINfi1j8CjonK4FCuDoCUPXRxVMNResGsQDbFqEXTUeJUoAoGCCqGSM49 + AwEHoUQDQgAE8DxSABAKLIqfVqaLxcNzKyUN1jags1OeDF0zFBGjUATXB8s8/MX2 + dr2WOek0EKHdx0PHRHD8ETYExScYM3bdNw== + -----END EC PRIVATE KEY----- + Resources: + CPU: + <<: *controller_resources_cpu + Memory: *controller_resources_memory # grafana configuration GrafanaImage: gcr.io/linkerd-io/grafana @@ -31,35 +64,41 @@ GrafanaResources: <<: *controller_resources # heartbeat configuration -HeartbeatSchedule: "21 3 * * * " HeartbeatResources: <<: *controller_resources +HeartbeatSchedule: "0 0 * * * " + +# prometheus configuration +PrometheusImage: prom/prometheus:v2.11.1 +PrometheusLogLevel: *controller_log_level +PrometheusResources: + <<: *controller_resources # proxy configuration Proxy: ClusterDomain: *cluster_domain + ControlPlaneNamespace: *namespace DisableIdentity: false EnableExternalProfile: false HighAvailability: *high_availability - IdentityTrustAnchors: | - -----BEGIN CERTIFICATE----- - MIIBgjCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 - eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI0MTY1OTM4WhcNMjAwNzIz - MTY1OTU4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j - YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQQiUcsrdv4rhQ9THRlPQrLshFY - YgvHgyAyGfqlrukGR4OsNzv1tX3lNsMZggvqr7skiXozt7R9SwMrTZK7EkU0o0Iw - QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC - MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgHKe2J1SooDemPrjC - 4YMyvoEmZ/7lGzeUOcIxN8bGcHwCIEp5zIp8+2QEPfKwS01sW0fjQwHBzV87Dm4G - eHrLH7qz - -----END CERTIFICATE----- + Identity: + TrustDomain: *cluster_domain + TrustAnchors: | + -----BEGIN CERTIFICATE----- + MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 + MDMxNzA4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATwPFIAEAosip9WpovFw3MrJQ3W + NqCzU54MXTMUEaNQBNcHyzz8xfZ2vZY56TQQod3HQ8dEcPwRNgTFJxgzdt03o0Iw + QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJpWjlDgXGo8hgvr + WX/H+QmI4sSA3EiW1J9ZNweS94UsAiB9IN9rkv/b47tYsynZCpLTzSeF7+16VdyI + DT1weqC2Vg== + -----END CERTIFICATE----- Image: Name: gcr.io/linkerd-io/proxy PullPolicy: IfNotPresent - InboundAcceptKeepAlive: 10000ms LogLevel: warn,linkerd2_proxy=info - ControlPlaneNamespace: *namespace - OutboundAcceptKeepAlive: 10000ms Port: &proxy_ports Admin: 4191 Control: 4190 @@ -98,6 +137,23 @@ ProxyInit: Limit: 50Mi Request: 10Mi +# proxy injector configuration +ProxyInjectorResources: + <<: *controller_resources + +# service profile validator configuration +SPValidatorResources: + <<: *controller_resources + +# tap configuration +TapResources: + <<: *controller_resources + +# web configuration +WebImage: gcr.io/linkerd-io/web +WebResources: + <<: *controller_resources + # annotations CreatedByAnnotation: linkerd.io/created-by ProxyInjectAnnotation: linkerd.io/inject diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 6067fbb954b6d..14f69fb232a7c 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -24,4 +24,5 @@ readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 6e5f777e5674b..fedf3408cbad4 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -3,7 +3,7 @@ - name: LINKERD2_PROXY_LOG value: {{.LogLevel}} - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .ControlPlaneNamespace .ClusterDomain) (eq .Component "controller")}} + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .ControlPlaneNamespace .ClusterDomain) (eq .Component "linkerd-controller")}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:{{.Port.Control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR @@ -13,37 +13,40 @@ - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:{{.Port.Inbound}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s" .ClusterDomain }} + {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} value: {{ternary "." $internalProfileSuffix .EnableExternalProfile}} - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: {{.InboundAcceptKeepAlive}} + value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: {{.OutboundAcceptKeepAlive}} + value: 10000ms - name: _pod_ns valueFrom: fieldRef: - apiVersion: v1 fieldPath: metadata.namespace - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: ns:$(_pod_ns) + {{ if eq .Component "linkerd-prometheus" -}} + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + {{ end -}} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .IdentityTrustAnchors | trim | nindent 6 }} + {{- .Identity.TrustAnchors | trim | nindent 6 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.{{.ControlPlaneNamespace}}.svc.cluster.local:8080 + {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .ControlPlaneNamespace .ClusterDomain }} + value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Component "linkerd-identity")}} - name: _pod_sa valueFrom: fieldRef: - apiVersion: v1 fieldPath: spec.serviceAccountName - name: _l5d_ns value: {{.ControlPlaneNamespace}} - name: _l5d_trustdomain - value: {{.ClusterDomain}} + value: {{.Identity.TrustDomain}} - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME @@ -61,10 +64,8 @@ ports: - containerPort: {{.Port.Inbound}} name: linkerd-proxy - protocol: TCP - containerPort: {{.Port.Admin}} name: linkerd-admin - protocol: TCP readinessProbe: httpGet: path: /ready @@ -77,6 +78,7 @@ allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: {{.UID}} + terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity diff --git a/charts/partials/templates/_volumes.tpl b/charts/partials/templates/_volumes.tpl index 62aea8b22d681..cc863736291e9 100644 --- a/charts/partials/templates/_volumes.tpl +++ b/charts/partials/templates/_volumes.tpl @@ -1,4 +1,4 @@ -{{ define "partials.proxy-identity-volume" -}} +{{ define "partials.proxy.volumes.identity" -}} - emptyDir: medium: Memory name: linkerd-identity-end-entity From 54ab9965b17769108e3c3f923083efd78335c522 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Mon, 29 Jul 2019 15:49:27 -0700 Subject: [PATCH 19/43] Add template for the 'linkerd-config' config map Signed-off-by: ihcsim --- charts/linkerd/templates/config.yaml | 27 ++++++ charts/linkerd/templates/controller.yaml | 8 +- charts/linkerd/templates/grafana.yaml | 8 +- charts/linkerd/templates/heartbeat.yaml | 4 +- charts/linkerd/templates/identity.yaml | 8 +- charts/linkerd/templates/prometheus.yaml | 8 +- .../templates/proxy-injector-rbac.yaml | 4 +- charts/linkerd/templates/proxy-injector.yaml | 6 +- .../linkerd/templates/serviceprofile-crd.yaml | 2 +- .../linkerd/templates/sp-validator-rbac.yaml | 2 +- charts/linkerd/templates/sp-validator.yaml | 6 +- charts/linkerd/templates/tap.yaml | 6 +- .../linkerd/templates/trafficsplit-crd.yaml | 2 +- charts/linkerd/templates/web.yaml | 6 +- charts/linkerd/values.yaml | 89 +++++++++++++------ 15 files changed, 124 insertions(+), 62 deletions(-) create mode 100644 charts/linkerd/templates/config.yaml diff --git a/charts/linkerd/templates/config.yaml b/charts/linkerd/templates/config.yaml new file mode 100644 index 0000000000000..8ff1a3a1398d8 --- /dev/null +++ b/charts/linkerd/templates/config.yaml @@ -0,0 +1,27 @@ +{{with .Values -}} +{{- if empty .Configs -}} +{{- fail ".Configs must be defined and non-empty" -}} +{{- end -}} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +data: + global: | + {{- toJson (required ".Configs.Global must be non-empty" .Configs.Global) | nindent 4 }} + proxy: | + {{- toJson (required ".Configs.Proxy must be non-empty" .Configs.Proxy) | nindent 4 }} + install: | + {{ if .Configs.Install -}} + {{- toJson .Configs.Install | nindent 4 }} + {{ else }} + {"uuid":"{{ uuidv4 }}","cliVersion":"{{.LinkerdVersion}}", "flags":[]} + {{- end -}} +{{- end}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 92c868ecacfeb..cef302f278e55 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -32,7 +32,7 @@ metadata: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -51,7 +51,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: controller {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -67,7 +67,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: controller diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index ec1ce67b0d70b..9ef2f73d76547 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: grafana {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} data: grafana.ini: |- instance_name = linkerd-grafana @@ -73,7 +73,7 @@ metadata: {{.ControllerComponentLabel}}: grafana {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -92,7 +92,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: grafana {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -108,7 +108,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: grafana diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index 42388b1bbf7bd..a639ccf7de12a 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: heartbeat {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: schedule: "{{.HeartbeatSchedule}}" jobTemplate: @@ -23,7 +23,7 @@ spec: labels: {{.ControllerComponentLabel}}: heartbeat annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: serviceAccountName: linkerd-heartbeat restartPolicy: OnFailure diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index dd94f38b8e398..a381a6b219871 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -15,7 +15,7 @@ metadata: {{.ControllerComponentLabel}}: identity {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- if .Identity.Issuer.CrtExpiryAnnotation}} {{.Identity.Issuer.CrtExpiryAnnotation}}: {{required "Please provide the identity issuer certificate expiry date" .Identity.Issuer.CrtExpiry}} {{- end}} @@ -33,7 +33,7 @@ metadata: {{.ControllerComponentLabel}}: identity {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -52,7 +52,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: identity {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -68,7 +68,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: identity diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index 5b8653797c993..8cb392d12edb8 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: prometheus {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} data: prometheus.yml: |- global: @@ -102,7 +102,7 @@ metadata: {{.ControllerComponentLabel}}: prometheus {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -121,7 +121,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: prometheus {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -137,7 +137,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: prometheus diff --git a/charts/linkerd/templates/proxy-injector-rbac.yaml b/charts/linkerd/templates/proxy-injector-rbac.yaml index 1156c297c0cad..68827ded2896b 100644 --- a/charts/linkerd/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd/templates/proxy-injector-rbac.yaml @@ -57,7 +57,7 @@ metadata: {{ .ControllerComponentLabel }}: proxy-injector {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} type: Opaque data: {{ $ca := genCA (printf "linkerd-proxy-injector.%s.svc" .Namespace) 365 -}} @@ -89,7 +89,7 @@ webhooks: apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] - {{- if empty .OmitWebhookSideEffects }} + {{- if not .OmitWebhookSideEffects }} sideEffects: None {{- end -}} {{end -}} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 6c1386223387a..93e90165f9300 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -13,7 +13,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: proxy-injector {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -29,7 +29,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: proxy-injector @@ -95,7 +95,7 @@ metadata: {{.ControllerComponentLabel}}: proxy-injector {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: diff --git a/charts/linkerd/templates/serviceprofile-crd.yaml b/charts/linkerd/templates/serviceprofile-crd.yaml index 1d6ac4bfd21ca..8ef4fff8c31b1 100644 --- a/charts/linkerd/templates/serviceprofile-crd.yaml +++ b/charts/linkerd/templates/serviceprofile-crd.yaml @@ -9,7 +9,7 @@ kind: CustomResourceDefinition metadata: name: serviceprofiles.linkerd.io annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerNamespaceLabel}}: {{.Namespace}} spec: diff --git a/charts/linkerd/templates/sp-validator-rbac.yaml b/charts/linkerd/templates/sp-validator-rbac.yaml index 2f24283cfdbf0..0a8fc8e26b2cf 100644 --- a/charts/linkerd/templates/sp-validator-rbac.yaml +++ b/charts/linkerd/templates/sp-validator-rbac.yaml @@ -51,7 +51,7 @@ metadata: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} type: Opaque data: {{ $ca := genCA (printf "linkerd-sp-validator.%s.svc" .Namespace) 365 -}} diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index 02715de8778dd..b8145fff4d4fc 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -32,7 +32,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -48,7 +48,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: sp-validator diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index 7320a14c4a547..bcf13050e488c 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: tap {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -32,7 +32,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: tap {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -48,7 +48,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: tap diff --git a/charts/linkerd/templates/trafficsplit-crd.yaml b/charts/linkerd/templates/trafficsplit-crd.yaml index b2c4e3f5b4e38..12009f495ce4f 100644 --- a/charts/linkerd/templates/trafficsplit-crd.yaml +++ b/charts/linkerd/templates/trafficsplit-crd.yaml @@ -10,7 +10,7 @@ kind: CustomResourceDefinition metadata: name: trafficsplits.split.smi-spec.io annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerNamespaceLabel}}: {{.Namespace}} spec: diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 25077f0dbb6e7..3d1e215c3ba60 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -13,7 +13,7 @@ metadata: {{.ControllerComponentLabel}}: web {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: type: ClusterIP selector: @@ -35,7 +35,7 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} labels: {{.ControllerComponentLabel}}: web {{.ControllerNamespaceLabel}}: {{.Namespace}} @@ -51,7 +51,7 @@ spec: template: metadata: annotations: - {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}} + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} {{- include "partials.proxy.annotations" .Proxy| nindent 8}} labels: {{.ControllerComponentLabel}}: web diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index d960d6d1a74df..64f8ca5bbebff 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -3,10 +3,13 @@ # Declare variables to be passed into your templates. ClusterDomain: &cluster_domain cluster.local +CNIEnabled: &cni_enabled false # not supported in Linkerd 2.5 EnableH2Upgrade: true HighAvailability: &high_availability false -ImagePullPolicy: IfNotPresent +ImagePullPolicy: &image_pull_policy IfNotPresent +LinkerdVersion: &linkerd_version stable-2.4.0 Namespace: &namespace linkerd +OmitWebhookSideEffects: &omit_webhook_side_effects false # controller configuration ControllerImage: gcr.io/linkerd-io/controller @@ -29,7 +32,7 @@ PublicAPIResources: Identity: Issuer: # PEM encoded certificate - CrtPEM: | + CrtPEM: &identity_issuer_crt | -----BEGIN CERTIFICATE----- MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 @@ -57,6 +60,7 @@ Identity: CPU: <<: *controller_resources_cpu Memory: *controller_resources_memory + TrustDomain: *cluster_domain # grafana configuration GrafanaImage: gcr.io/linkerd-io/grafana @@ -84,43 +88,34 @@ Proxy: Identity: TrustDomain: *cluster_domain TrustAnchors: | - -----BEGIN CERTIFICATE----- - MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 - eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 - MDMxNzA4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j - YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATwPFIAEAosip9WpovFw3MrJQ3W - NqCzU54MXTMUEaNQBNcHyzz8xfZ2vZY56TQQod3HQ8dEcPwRNgTFJxgzdt03o0Iw - QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC - MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJpWjlDgXGo8hgvr - WX/H+QmI4sSA3EiW1J9ZNweS94UsAiB9IN9rkv/b47tYsynZCpLTzSeF7+16VdyI - DT1weqC2Vg== - -----END CERTIFICATE----- + <<: *identity_issuer_crt Image: - Name: gcr.io/linkerd-io/proxy - PullPolicy: IfNotPresent - LogLevel: warn,linkerd2_proxy=info + Name: &proxy_image_name gcr.io/linkerd-io/proxy + PullPolicy: *image_pull_policy + Version: *linkerd_version + LogLevel: &proxy_log_level warn,linkerd2_proxy=info Port: &proxy_ports - Admin: 4191 - Control: 4190 - Inbound: 4143 - Outbound: 4140 + Admin: &proxy_port_admin 4191 + Control: &proxy_port_control 4190 + Inbound: &proxy_port_inbound 4143 + Outbound: &proxy_port_outbound 4140 UID: &proxy_uid 2102 # use this to override the default resource requirements in HA mode ResourceRequirements: CPU: - Limit: "1" - Request: 100m + Limit: &proxy_cpu_limit "1" + Request: &proxy_cpu_request 100m Memory: - Limit: 250Mi - Request: 20Mi + Limit: &proxy_memory_limit 250Mi + Request: &proxy_memory_request 20Mi # proxy-init configuration ProxyInit: Image: - Name: gcr.io/linkerd-io/proxy-init - PullPolicy: IfNotPresent - Version: v1.0.0 + Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init + PullPolicy: *image_pull_policy + Version: &proxy_init_image_version v1.0.0 Proxy: Port: <<: *proxy_ports @@ -154,6 +149,46 @@ WebImage: gcr.io/linkerd-io/web WebResources: <<: *controller_resources +# linkerd-config config map data +Configs: + Global: + clusterDomain: *cluster_domain + cniEnabled: *cni_enabled + identityContext: + trustAnchorsPem": *identity_issuer_crt + trustDomain: *cluster_domain + linkerdNamespace: *namespace + omitWebhookSideEffects: *omit_webhook_side_effects + version: *linkerd_version + Proxy: + adminPort: + port: *proxy_port_admin + controlPort: + port: *proxy_port_control + ignoreInboundPorts: [] + ignoreOutboundPorts: [] + inboundPort: + port: *proxy_port_inbound + logLevel: + level: *proxy_log_level + outboundPort: + port: *proxy_port_outbound + proxyImage: + imageName: *proxy_image_name + pullPolicy: *image_pull_policy + proxyInitImage: + imageName: *proxy_init_image_name + pullPolicy: *image_pull_policy + proxyInitImageVersion: *proxy_init_image_version + proxyUid: *proxy_uid + proxyVersion: *linkerd_version + resource: + limitCpu: *proxy_cpu_limit + limitMemory: *proxy_memory_limit + requestCpu: *proxy_cpu_request + requestMemory: *proxy_memory_request + disableExternalProfiles: true + # annotations CreatedByAnnotation: linkerd.io/created-by ProxyInjectAnnotation: linkerd.io/inject From 667b7ceb9532b33083fa72f9fbb6a8fd721ccc73 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Mon, 29 Jul 2019 19:52:52 -0700 Subject: [PATCH 20/43] Add debug container template Signed-off-by: ihcsim --- charts/partials/templates/_debug.tpl | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 charts/partials/templates/_debug.tpl diff --git a/charts/partials/templates/_debug.tpl b/charts/partials/templates/_debug.tpl new file mode 100644 index 0000000000000..993f305439da9 --- /dev/null +++ b/charts/partials/templates/_debug.tpl @@ -0,0 +1,6 @@ +{{- define "partials.debug" -}} +- image: {{.Image.Name}}:{{.Image.Version}} + imagePullPolicy: {{.Image.PullPolicy}} + name: linkerd-debug + terminationMessagePolicy: FallbackToLogsOnError +{{- end -}} From e479a21a86a1bacd3426567b9537ec55a833e67a Mon Sep 17 00:00:00 2001 From: ihcsim Date: Mon, 29 Jul 2019 21:00:28 -0700 Subject: [PATCH 21/43] Update proxy partial with 'disable-identity' and 'disable-tap' variables Note that these are inject-only variables. Also added the LINKERD2_PROXY_TAP_SVC_NAME env var. Signed-off-by: ihcsim --- charts/linkerd/templates/config.yaml | 4 ++-- charts/linkerd/templates/heartbeat.yaml | 2 -- charts/linkerd/values.yaml | 8 +++++--- charts/partials/templates/_proxy.tpl | 12 ++++++++++++ 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/charts/linkerd/templates/config.yaml b/charts/linkerd/templates/config.yaml index 8ff1a3a1398d8..653832d153722 100644 --- a/charts/linkerd/templates/config.yaml +++ b/charts/linkerd/templates/config.yaml @@ -19,9 +19,9 @@ data: proxy: | {{- toJson (required ".Configs.Proxy must be non-empty" .Configs.Proxy) | nindent 4 }} install: | - {{ if .Configs.Install -}} + {{- if .Configs.Install -}} {{- toJson .Configs.Install | nindent 4 }} {{ else }} {"uuid":"{{ uuidv4 }}","cliVersion":"{{.LinkerdVersion}}", "flags":[]} {{- end -}} -{{- end}} +{{- end -}} diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index a639ccf7de12a..6f05d47204c19 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -36,8 +36,6 @@ spec: - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090" - "-controller-namespace={{.Namespace}}" - "-log-level={{.ControllerLogLevel}}" - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} - imagePullPolicy: {{.ImagePullPolicy}} {{- if eq .HighAvailability true -}} {{- include "partials.resources" .HeartbeatResources | nindent 12 }} {{- end }} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 64f8ca5bbebff..4e29a52516a0b 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -82,13 +82,11 @@ PrometheusResources: Proxy: ClusterDomain: *cluster_domain ControlPlaneNamespace: *namespace - DisableIdentity: false EnableExternalProfile: false HighAvailability: *high_availability Identity: TrustDomain: *cluster_domain - TrustAnchors: | - <<: *identity_issuer_crt + TrustAnchors: *identity_issuer_crt Image: Name: &proxy_image_name gcr.io/linkerd-io/proxy PullPolicy: *image_pull_policy @@ -110,6 +108,10 @@ Proxy: Limit: &proxy_memory_limit 250Mi Request: &proxy_memory_request 20Mi + # inject-only options. Do not change this for control plane installation + DisableIdentity: false + DisableTap: false + # proxy-init configuration ProxyInit: Image: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index fedf3408cbad4..66a59e3a5af23 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -29,6 +29,10 @@ - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY value: "10000" {{ end -}} + {{ if .DisableIdentity -}} + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: disabled + {{ else -}} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS @@ -53,6 +57,14 @@ value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + {{ end -}} + {{ if .DisableTap -}} + - name: LINKERD2_PROXY_TAP_DISABLED + value: "true" + {{ else -}} + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + {{ end -}} image: {{.Image.Name}}:{{.Image.Version}} imagePullPolicy: {{.Image.PullPolicy}} livenessProbe: From f42de85fe99b3a8af629fb535e568e92f8644c07 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Mon, 29 Jul 2019 21:37:26 -0700 Subject: [PATCH 22/43] Add validation conditions to ensure identity and tap aren't disabled for control plane components Signed-off-by: ihcsim --- charts/linkerd/templates/_validate.tpl | 9 +++++++++ charts/linkerd/templates/controller.yaml | 1 + charts/linkerd/templates/grafana.yaml | 1 + charts/linkerd/templates/identity.yaml | 1 + charts/linkerd/templates/prometheus.yaml | 1 + charts/linkerd/templates/proxy-injector.yaml | 1 + charts/linkerd/templates/sp-validator.yaml | 1 + charts/linkerd/templates/tap.yaml | 1 + charts/linkerd/templates/web.yaml | 1 + 9 files changed, 17 insertions(+) create mode 100644 charts/linkerd/templates/_validate.tpl diff --git a/charts/linkerd/templates/_validate.tpl b/charts/linkerd/templates/_validate.tpl new file mode 100644 index 0000000000000..959a98a6bd696 --- /dev/null +++ b/charts/linkerd/templates/_validate.tpl @@ -0,0 +1,9 @@ +{{- define "linkerd.proxy.validation" -}} +{{- if .DisableIdentity -}} +{{- fail (printf "Can't disable identity mTLS for %s. Set '.Values.Proxy.DisableIdentity' to 'false'" .Component) -}} +{{- end -}} + +{{- if .DisableTap -}} +{{- fail (printf "Can't disable tap for %s. Set '.Values.Proxy.DisableTap' to 'false'" .Component) -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index cef302f278e55..4ecdb89c1df50 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -47,6 +47,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-controller" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index 9ef2f73d76547..acf196cd28251 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -88,6 +88,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-grafana" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index a381a6b219871..082ebe323c528 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -48,6 +48,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-identity" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index 8cb392d12edb8..a4be3ad9d1797 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -117,6 +117,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-prometheus" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 93e90165f9300..289cd5e433da0 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -9,6 +9,7 @@ {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-proxy-injector" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index b8145fff4d4fc..25766e22c6db5 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -28,6 +28,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-sp-validator" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index bcf13050e488c..846ea94485dac 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -28,6 +28,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-tap" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 3d1e215c3ba60..213046aebf750 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -31,6 +31,7 @@ spec: {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-web" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} apiVersion: apps/v1 kind: Deployment metadata: From 5efe1373fb2416c0777ee3ece885eea3757fe4fc Mon Sep 17 00:00:00 2001 From: ihcsim Date: Tue, 30 Jul 2019 11:03:04 -0700 Subject: [PATCH 23/43] Add partials for service account token mount path and security context capabilities Signed-off-by: ihcsim --- charts/linkerd/values.yaml | 7 +++++++ charts/partials/templates/_capabilities.tpl | 16 ++++++++++++++++ charts/partials/templates/_proxy-init.tpl | 12 ++++++++++++ charts/partials/templates/_proxy.tpl | 6 ++++++ 4 files changed, 41 insertions(+) create mode 100644 charts/partials/templates/_capabilities.tpl diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 4e29a52516a0b..bb8dc44256fde 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -80,6 +80,9 @@ PrometheusResources: # proxy configuration Proxy: + Capabilities: + Add: + Drop: ClusterDomain: *cluster_domain ControlPlaneNamespace: *namespace EnableExternalProfile: false @@ -92,6 +95,7 @@ Proxy: PullPolicy: *image_pull_policy Version: *linkerd_version LogLevel: &proxy_log_level warn,linkerd2_proxy=info + MountPaths: Port: &proxy_ports Admin: &proxy_port_admin 4191 Control: &proxy_port_control 4190 @@ -114,6 +118,9 @@ Proxy: # proxy-init configuration ProxyInit: + Capabilities: + Add: + Drop: Image: Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy diff --git a/charts/partials/templates/_capabilities.tpl b/charts/partials/templates/_capabilities.tpl new file mode 100644 index 0000000000000..48eca891c2426 --- /dev/null +++ b/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Capabilities.Add }} + add: + {{- toYaml .Capabilities.Add | trim | nindent 2 }} + {{- end }} + {{- if .Capabilities.Drop }} + drop: + {{- toYaml .Capabilities.Drop | trim | nindent 2 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Capabilities.Drop | trim }} +{{- end -}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 14f69fb232a7c..3df9de3a8ab83 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -20,9 +20,21 @@ add: - NET_ADMIN - NET_RAW + {{- if .Capabilities -}} + {{- if .Capabilities.Add }} + {{- toYaml .Capabilities.Add | trim | nindent 6 }} + {{- end }} + {{- if .Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 6 -}} + {{- end }} + {{- end }} privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError + {{- if .MountPaths }} + volumeMounts: + {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- end }} {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 66a59e3a5af23..f00f29e090826 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -88,10 +88,16 @@ {{- end }} securityContext: allowPrivilegeEscalation: false + {{- if .Capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 4 -}} + {{- end }} readOnlyRootFilesystem: true runAsUser: {{.UID}} terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity + {{- if .MountPaths }} + {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- end }} {{ end -}} From 430d4ee09949883b93eb8949ddea4adcb7bd4335 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Tue, 30 Jul 2019 14:24:15 -0700 Subject: [PATCH 24/43] Change proxy and proxy-init templates to use global scope Some of the nested variables are removed from values.yaml to ensure changes made to root-level variables are propagated directly into the partial templates. The previous approach of using YAML anchors in the values.yaml to share common values can get out-of-sync when values are changed via the Helm's `--set` option. Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 64 +++++++++++++ charts/linkerd/templates/config.yaml | 29 ++++-- charts/linkerd/templates/controller.yaml | 4 +- charts/linkerd/templates/grafana.yaml | 4 +- charts/linkerd/templates/identity.yaml | 4 +- charts/linkerd/templates/prometheus.yaml | 4 +- charts/linkerd/templates/proxy-injector.yaml | 4 +- charts/linkerd/templates/sp-validator.yaml | 4 +- charts/linkerd/templates/tap.yaml | 4 +- charts/linkerd/templates/web.yaml | 4 +- charts/linkerd/values.yaml | 97 ++++++-------------- charts/partials/templates/_proxy-init.tpl | 24 ++--- charts/partials/templates/_proxy.tpl | 50 +++++----- 13 files changed, 163 insertions(+), 133 deletions(-) create mode 100644 charts/linkerd/templates/_config.tpl diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl new file mode 100644 index 0000000000000..c8bc7f89085df --- /dev/null +++ b/charts/linkerd/templates/_config.tpl @@ -0,0 +1,64 @@ +{{- define "linkerd.configs.global" -}} +{ + "autoInjectContext": null, + "clusterDomain": "{{.ClusterDomain}}", + "cniEnabled": {{.CNIEnabled}}, + "identityContext":{ + "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}", + "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", + "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM}}", + "trustDomain": "{{.TrustDomain}}" + }, + "linkerdNamespace": "{{.Namespace}}", + "omitWebhookSideEffects": {{.OmitWebhookSideEffects}}, + "version": "{{.LinkerdVersion}}" +} +{{- end -}} + +{{- define "linkerd.configs.proxy" -}} +{ + "adminPort":{ + "port": {{.Proxy.Port.Admin}} + }, + "controlPort":{ + "port": {{.Proxy.Port.Control}} + }, + "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, + "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}}, + "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}}, + "inboundPort":{ + "port": {{.Proxy.Port.Inbound}} + }, + "logLevel":{ + "level": "{{.Proxy.LogLevel}}" + }, + "outboundPort":{ + "port": {{.Proxy.Port.Outbound}} + }, + "proxyImage":{ + "imageName":"{{.Proxy.Image.Name}}", + "pullPolicy":"{{.Proxy.Image.PullPolicy}}" + }, + "proxyInitImage":{ + "imageName":"{{.ProxyInit.Image.Name}}", + "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" + }, + "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}", + "proxyUid": {{.Proxy.UID}}, + "proxyVersion": "{{.Proxy.Image.Version}}", + "resource":{ + "limitCpu": "{{.Proxy.ResourceRequirements.CPU.Limit}}", + "limitMemory": "{{.Proxy.ResourceRequirements.Memory.Limit}}", + "requestCpu": "{{.Proxy.ResourceRequirements.CPU.Request}}", + "requestMemory": "{{.Proxy.ResourceRequirements.Memory.Request}}" + } +} +{{- end -}} + +{{- define "linkerd.configs.install" -}} +{ + "uuid":"{{ uuidv4 }}", + "cliVersion":"{{ .LinkerdVersion }}", + "flags":[] +} +{{- end -}} diff --git a/charts/linkerd/templates/config.yaml b/charts/linkerd/templates/config.yaml index 653832d153722..602164a97ae5c 100644 --- a/charts/linkerd/templates/config.yaml +++ b/charts/linkerd/templates/config.yaml @@ -1,7 +1,4 @@ {{with .Values -}} -{{- if empty .Configs -}} -{{- fail ".Configs must be defined and non-empty" -}} -{{- end -}} --- kind: ConfigMap apiVersion: v1 @@ -15,13 +12,27 @@ metadata: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} data: global: | - {{- toJson (required ".Configs.Global must be non-empty" .Configs.Global) | nindent 4 }} + {{- if .Configs -}} + {{- if .Configs.Global -}} + {{.Configs.Global}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.global" . | nindent 4}} + {{- end }} proxy: | - {{- toJson (required ".Configs.Proxy must be non-empty" .Configs.Proxy) | nindent 4 }} + {{- if .Configs -}} + {{- if .Configs.Proxy -}} + {{.Configs.Proxy}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.proxy" . | nindent 4}} + {{- end }} install: | + {{- if .Configs -}} {{- if .Configs.Install -}} - {{- toJson .Configs.Install | nindent 4 }} - {{ else }} - {"uuid":"{{ uuidv4 }}","cliVersion":"{{.LinkerdVersion}}", "flags":[]} - {{- end -}} + {{.Configs.Instal}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.install" . | nindent 4}} + {{- end }} {{- end -}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 4ecdb89c1df50..768017e325920 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -144,9 +144,9 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-controller volumes: - configMap: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index acf196cd28251..9710aed4baa12 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -146,9 +146,9 @@ spec: - mountPath: /etc/grafana name: grafana-config readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-grafana volumes: - emptyDir: {} diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index 082ebe323c528..b73c18bfd5d5f 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -112,9 +112,9 @@ spec: name: config - mountPath: /var/run/linkerd/identity/issuer name: identity-issuer - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-identity volumes: - configMap: diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index a4be3ad9d1797..0eadaf7f64566 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -180,9 +180,9 @@ spec: - mountPath: /etc/prometheus name: prometheus-config readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-prometheus volumes: - emptyDir: {} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 289cd5e433da0..7df29d8cef88f 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -74,9 +74,9 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-proxy-injector volumes: - configMap: diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index 25766e22c6db5..097d9029775ea 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -91,9 +91,9 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-sp-validator volumes: - name: tls diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index 846ea94485dac..8ae8e99e90cf7 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -88,9 +88,9 @@ spec: {{- end }} securityContext: runAsUser: {{.ControllerUID}} - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-tap volumes: {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 213046aebf750..71ed28ec46205 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -91,9 +91,9 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-web volumes: - configMap: diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index bb8dc44256fde..767744965b47c 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -3,13 +3,13 @@ # Declare variables to be passed into your templates. ClusterDomain: &cluster_domain cluster.local -CNIEnabled: &cni_enabled false # not supported in Linkerd 2.5 +CNIEnabled: false # not supported in Linkerd 2.5 EnableH2Upgrade: true -HighAvailability: &high_availability false +HighAvailability: false ImagePullPolicy: &image_pull_policy IfNotPresent LinkerdVersion: &linkerd_version stable-2.4.0 -Namespace: &namespace linkerd -OmitWebhookSideEffects: &omit_webhook_side_effects false +Namespace: linkerd +OmitWebhookSideEffects: false # controller configuration ControllerImage: gcr.io/linkerd-io/controller @@ -31,8 +31,10 @@ PublicAPIResources: # identity configuration Identity: Issuer: + ClockSkewAllowance: 20s + # PEM encoded certificate - CrtPEM: &identity_issuer_crt | + CrtPEM: | -----BEGIN CERTIFICATE----- MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 @@ -49,6 +51,8 @@ Identity: CrtExpiry: 2020-07-25T03:17:08Z CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry + IssuanceLifeTime: 86400s + # PEM encode ECDSA private key KeyPEM: | -----BEGIN EC PRIVATE KEY----- @@ -83,34 +87,28 @@ Proxy: Capabilities: Add: Drop: - ClusterDomain: *cluster_domain - ControlPlaneNamespace: *namespace EnableExternalProfile: false - HighAvailability: *high_availability - Identity: - TrustDomain: *cluster_domain - TrustAnchors: *identity_issuer_crt Image: - Name: &proxy_image_name gcr.io/linkerd-io/proxy + Name: gcr.io/linkerd-io/proxy PullPolicy: *image_pull_policy Version: *linkerd_version - LogLevel: &proxy_log_level warn,linkerd2_proxy=info + LogLevel: warn,linkerd2_proxy=info MountPaths: - Port: &proxy_ports - Admin: &proxy_port_admin 4191 - Control: &proxy_port_control 4190 - Inbound: &proxy_port_inbound 4143 - Outbound: &proxy_port_outbound 4140 - UID: &proxy_uid 2102 + Port: + Admin: 4191 + Control: 4190 + Inbound: 4143 + Outbound: 4140 + UID: 2102 # use this to override the default resource requirements in HA mode ResourceRequirements: CPU: - Limit: &proxy_cpu_limit "1" - Request: &proxy_cpu_request 100m + Limit: "1" + Request: 100m Memory: - Limit: &proxy_memory_limit 250Mi - Request: &proxy_memory_request 20Mi + Limit: 250Mi + Request: 20Mi # inject-only options. Do not change this for control plane installation DisableIdentity: false @@ -122,15 +120,12 @@ ProxyInit: Add: Drop: Image: - Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init + Name: gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy - Version: &proxy_init_image_version v1.0.0 - Proxy: - Port: - <<: *proxy_ports - IgnoreInboundPorts: "" - IgnoreOutboundPorts: "443" - UID: *proxy_uid + Version: v1.0.0 + IgnoreInboundPorts: "" + IgnoreOutboundPorts: "443" + MountPath: # use this to override the default resource requirements in HA mode ResourceRequirements: @@ -158,46 +153,6 @@ WebImage: gcr.io/linkerd-io/web WebResources: <<: *controller_resources -# linkerd-config config map data -Configs: - Global: - clusterDomain: *cluster_domain - cniEnabled: *cni_enabled - identityContext: - trustAnchorsPem": *identity_issuer_crt - trustDomain: *cluster_domain - linkerdNamespace: *namespace - omitWebhookSideEffects: *omit_webhook_side_effects - version: *linkerd_version - Proxy: - adminPort: - port: *proxy_port_admin - controlPort: - port: *proxy_port_control - ignoreInboundPorts: [] - ignoreOutboundPorts: [] - inboundPort: - port: *proxy_port_inbound - logLevel: - level: *proxy_log_level - outboundPort: - port: *proxy_port_outbound - proxyImage: - imageName: *proxy_image_name - pullPolicy: *image_pull_policy - proxyInitImage: - imageName: *proxy_init_image_name - pullPolicy: *image_pull_policy - proxyInitImageVersion: *proxy_init_image_version - proxyUid: *proxy_uid - proxyVersion: *linkerd_version - resource: - limitCpu: *proxy_cpu_limit - limitMemory: *proxy_memory_limit - requestCpu: *proxy_cpu_request - requestMemory: *proxy_memory_request - disableExternalProfiles: true - # annotations CreatedByAnnotation: linkerd.io/created-by ProxyInjectAnnotation: linkerd.io/inject diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 3df9de3a8ab83..a3d6bb9a537c8 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -7,25 +7,25 @@ - --proxy-uid - {{.Proxy.UID | quote}} - --inbound-ports-to-ignore - - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .Proxy.Port.IgnoreInboundPorts) "" (ne .Proxy.Port.IgnoreInboundPorts "")}} + - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (ne .ProxyInit.IgnoreInboundPorts "")}} - --outbound-ports-to-ignore - - {{.Proxy.Port.IgnoreOutboundPorts | quote}} - image: {{.Image.Name}}:{{.Image.Version}} - imagePullPolicy: {{.Image.PullPolicy}} + - {{.ProxyInit.IgnoreOutboundPorts | quote}} + image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} + imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} name: linkerd-init - {{- include "partials.resources" .ResourceRequirements | nindent 2 }} + {{- include "partials.resources" .ProxyInit.ResourceRequirements | nindent 2 }} securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW - {{- if .Capabilities -}} - {{- if .Capabilities.Add }} - {{- toYaml .Capabilities.Add | trim | nindent 6 }} + {{- if .ProxyInit.Capabilities -}} + {{- if .ProxyInit.Capabilities.Add }} + {{- toYaml .ProxyInit.Capabilities.Add | trim | nindent 6 }} {{- end }} - {{- if .Capabilities.Drop -}} - {{- include "partials.proxy-init.capabilities.drop" . | nindent 6 -}} + {{- if .ProxyInit.Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" .ProxyInit | nindent 6 -}} {{- end }} {{- end }} privileged: false @@ -33,8 +33,8 @@ runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError - {{- if .MountPaths }} + {{- if .ProxyInit.MountPaths }} volumeMounts: - {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- toYaml .ProxyInit.MountPaths | trim | nindent 2 -}} {{- end }} {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index f00f29e090826..97df8844e166e 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -1,20 +1,20 @@ {{ define "partials.proxy" -}} - env: - name: LINKERD2_PROXY_LOG - value: {{.LogLevel}} + value: {{.Proxy.LogLevel}} - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .ControlPlaneNamespace .ClusterDomain) (eq .Component "linkerd-controller")}} + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Control}} + value: 0.0.0.0:{{.Proxy.Port.Control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Admin}} + value: 0.0.0.0:{{.Proxy.Port.Admin}} - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:{{.Port.Outbound}} + value: 127.0.0.1:{{.Proxy.Port.Outbound}} - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Inbound}} + value: 0.0.0.0:{{.Proxy.Port.Inbound}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} - value: {{ternary "." $internalProfileSuffix .EnableExternalProfile}} + value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE @@ -25,7 +25,7 @@ fieldPath: metadata.namespace - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: ns:$(_pod_ns) - {{ if eq .Component "linkerd-prometheus" -}} + {{ if eq .Proxy.Component "linkerd-prometheus" -}} - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY value: "10000" {{ end -}} @@ -37,18 +37,18 @@ value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .Identity.TrustAnchors | trim | nindent 6 }} + {{- .Identity.Issuer.CrtPEM | trim | nindent 6 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .ControlPlaneNamespace .ClusterDomain }} - value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Component "linkerd-identity")}} + {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .Namespace .ClusterDomain }} + value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Proxy.Component "linkerd-identity")}} - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns - value: {{.ControlPlaneNamespace}} + value: {{.Namespace}} - name: _l5d_trustdomain value: {{.Identity.TrustDomain}} - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME @@ -58,46 +58,46 @@ - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) {{ end -}} - {{ if .DisableTap -}} + {{ if .Proxy.DisableTap -}} - name: LINKERD2_PROXY_TAP_DISABLED value: "true" {{ else -}} - name: LINKERD2_PROXY_TAP_SVC_NAME value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) {{ end -}} - image: {{.Image.Name}}:{{.Image.Version}} - imagePullPolicy: {{.Image.PullPolicy}} + image: {{.Proxy.Image.Name}}:{{.Proxy.Image.Version}} + imagePullPolicy: {{.Proxy.Image.PullPolicy}} livenessProbe: httpGet: path: /metrics - port: {{.Port.Admin}} + port: {{.Proxy.Port.Admin}} initialDelaySeconds: 10 name: linkerd-proxy ports: - - containerPort: {{.Port.Inbound}} + - containerPort: {{.Proxy.Port.Inbound}} name: linkerd-proxy - - containerPort: {{.Port.Admin}} + - containerPort: {{.Proxy.Port.Admin}} name: linkerd-admin readinessProbe: httpGet: path: /ready - port: {{.Port.Admin}} + port: {{.Proxy.Port.Admin}} initialDelaySeconds: 2 {{- if eq .HighAvailability true -}} - {{- include "partials.resources" .ResourceRequirements | nindent 2 -}} + {{- include "partials.resources" .Proxy.ResourceRequirements | nindent 2 -}} {{- end }} securityContext: allowPrivilegeEscalation: false - {{- if .Capabilities -}} - {{- include "partials.proxy.capabilities" . | nindent 4 -}} + {{- if .Proxy.Capabilities -}} + {{- include "partials.proxy.capabilities" .Proxy | nindent 4 -}} {{- end }} readOnlyRootFilesystem: true - runAsUser: {{.UID}} + runAsUser: {{.Proxy.UID}} terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - {{- if .MountPaths }} - {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- if .Proxy.MountPaths }} + {{- toYaml .Proxy.MountPaths | trim | nindent 2 -}} {{- end }} {{ end -}} From 2b4d94e6ff8328e9f6492378a0a910534a8f36ad Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Tue, 30 Jul 2019 15:24:59 -0700 Subject: [PATCH 25/43] Update templates and values file to match #3161 Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 16 ++++++++-------- charts/linkerd/values.yaml | 22 ++++++++-------------- charts/partials/templates/_proxy-init.tpl | 8 ++++---- charts/partials/templates/_proxy.tpl | 20 ++++++++++---------- 4 files changed, 30 insertions(+), 36 deletions(-) diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index c8bc7f89085df..a089aadd9aff1 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -18,22 +18,22 @@ {{- define "linkerd.configs.proxy" -}} { "adminPort":{ - "port": {{.Proxy.Port.Admin}} + "port": {{.Proxy.Ports.Admin}} }, "controlPort":{ - "port": {{.Proxy.Port.Control}} + "port": {{.Proxy.Ports.Control}} }, "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}}, "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}}, "inboundPort":{ - "port": {{.Proxy.Port.Inbound}} + "port": {{.Proxy.Ports.Inbound}} }, "logLevel":{ "level": "{{.Proxy.LogLevel}}" }, "outboundPort":{ - "port": {{.Proxy.Port.Outbound}} + "port": {{.Proxy.Ports.Outbound}} }, "proxyImage":{ "imageName":"{{.Proxy.Image.Name}}", @@ -47,10 +47,10 @@ "proxyUid": {{.Proxy.UID}}, "proxyVersion": "{{.Proxy.Image.Version}}", "resource":{ - "limitCpu": "{{.Proxy.ResourceRequirements.CPU.Limit}}", - "limitMemory": "{{.Proxy.ResourceRequirements.Memory.Limit}}", - "requestCpu": "{{.Proxy.ResourceRequirements.CPU.Request}}", - "requestMemory": "{{.Proxy.ResourceRequirements.Memory.Request}}" + "limitCpu": "{{.Proxy.Resources.CPU.Limit}}", + "limitMemory": "{{.Proxy.Resources.Memory.Limit}}", + "requestCpu": "{{.Proxy.Resources.CPU.Request}}", + "requestMemory": "{{.Proxy.Resources.Memory.Request}}" } } {{- end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 767744965b47c..5424aad53fb0b 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -87,6 +87,8 @@ Proxy: Capabilities: Add: Drop: + DisableIdentity: false # inject-only options. Do not change during installation + DisableTap: false # inject-only option. Do not change during installation EnableExternalProfile: false Image: Name: gcr.io/linkerd-io/proxy @@ -94,41 +96,33 @@ Proxy: Version: *linkerd_version LogLevel: warn,linkerd2_proxy=info MountPaths: - Port: + Ports: Admin: 4191 Control: 4190 Inbound: 4143 Outbound: 4140 - UID: 2102 - - # use this to override the default resource requirements in HA mode - ResourceRequirements: + Resources: CPU: Limit: "1" Request: 100m Memory: Limit: 250Mi Request: 20Mi - - # inject-only options. Do not change this for control plane installation - DisableIdentity: false - DisableTap: false + UID: 2102 # proxy-init configuration ProxyInit: Capabilities: Add: Drop: + IgnoreInboundPorts: "" + IgnoreOutboundPorts: "443" Image: Name: gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy Version: v1.0.0 - IgnoreInboundPorts: "" - IgnoreOutboundPorts: "443" MountPath: - - # use this to override the default resource requirements in HA mode - ResourceRequirements: + Resources: CPU: Limit: 100m Request: 10m diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index a3d6bb9a537c8..0e66d62bf3cb3 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -1,19 +1,19 @@ {{- define "partials.proxy-init" -}} - args: - --incoming-proxy-port - - {{.Proxy.Port.Inbound | quote}} + - {{.Proxy.Ports.Inbound | quote}} - --outgoing-proxy-port - - {{.Proxy.Port.Outbound | quote}} + - {{.Proxy.Ports.Outbound | quote}} - --proxy-uid - {{.Proxy.UID | quote}} - --inbound-ports-to-ignore - - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (ne .ProxyInit.IgnoreInboundPorts "")}} + - {{.Proxy.Ports.Control}},{{.Proxy.Ports.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (not (empty .ProxyInit.IgnoreInboundPorts))}} - --outbound-ports-to-ignore - {{.ProxyInit.IgnoreOutboundPorts | quote}} image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} name: linkerd-init - {{- include "partials.resources" .ProxyInit.ResourceRequirements | nindent 2 }} + {{- include "partials.resources" .ProxyInit.Resources | nindent 2 }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 97df8844e166e..9e8730c4b38d1 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -5,13 +5,13 @@ - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Port.Control}} + value: 0.0.0.0:{{.Proxy.Ports.Control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Port.Admin}} + value: 0.0.0.0:{{.Proxy.Ports.Admin}} - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:{{.Proxy.Port.Outbound}} + value: 127.0.0.1:{{.Proxy.Ports.Outbound}} - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Port.Inbound}} + value: 0.0.0.0:{{.Proxy.Ports.Inbound}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} @@ -29,7 +29,7 @@ - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY value: "10000" {{ end -}} - {{ if .DisableIdentity -}} + {{ if .Proxy.DisableIdentity -}} - name: LINKERD2_PROXY_IDENTITY_DISABLED value: disabled {{ else -}} @@ -70,21 +70,21 @@ livenessProbe: httpGet: path: /metrics - port: {{.Proxy.Port.Admin}} + port: {{.Proxy.Ports.Admin}} initialDelaySeconds: 10 name: linkerd-proxy ports: - - containerPort: {{.Proxy.Port.Inbound}} + - containerPort: {{.Proxy.Ports.Inbound}} name: linkerd-proxy - - containerPort: {{.Proxy.Port.Admin}} + - containerPort: {{.Proxy.Ports.Admin}} name: linkerd-admin readinessProbe: httpGet: path: /ready - port: {{.Proxy.Port.Admin}} + port: {{.Proxy.Ports.Admin}} initialDelaySeconds: 2 {{- if eq .HighAvailability true -}} - {{- include "partials.resources" .Proxy.ResourceRequirements | nindent 2 -}} + {{- include "partials.resources" .Proxy.Resources | nindent 2 -}} {{- end }} securityContext: allowPrivilegeEscalation: false From 71b4fb23e6bb27fdf280ca7e21c2c0a6f53b2837 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Tue, 30 Jul 2019 20:32:42 -0700 Subject: [PATCH 26/43] Perform a dry run installation if there is a local Tiller Signed-off-by: Ivan Sim --- bin/helm.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/helm.sh b/bin/helm.sh index 5fb08e26ab9bb..12bfd8097939e 100755 --- a/bin/helm.sh +++ b/bin/helm.sh @@ -9,3 +9,9 @@ helm lint $rootdir/charts/partials helm dep up $rootdir/charts/linkerd helm lint $rootdir/charts/linkerd + +# if tiller is deployed, perform a dry run installation to check for errors +if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then + echo "Performing dry run installation" + helm install --name=linkerd --dry-run charts/linkerd +fi From a21db05e35471878ba02c57d65f88567232f102b Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Tue, 30 Jul 2019 21:46:25 -0700 Subject: [PATCH 27/43] Reorder JSON elements in linkerd-config Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 54 ++++++++++++++-------------- charts/linkerd/values.yaml | 30 +++++++++------- 2 files changed, 44 insertions(+), 40 deletions(-) diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index a089aadd9aff1..301109e5594e6 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -1,57 +1,57 @@ {{- define "linkerd.configs.global" -}} { - "autoInjectContext": null, - "clusterDomain": "{{.ClusterDomain}}", + "linkerdNamespace": "{{.Namespace}}", "cniEnabled": {{.CNIEnabled}}, + "version": "{{.LinkerdVersion}}", "identityContext":{ - "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}", + "trustDomain": "{{.Identity.TrustDomain}}", + "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM | replace "\n" "\\n"}}", "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", - "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM}}", - "trustDomain": "{{.TrustDomain}}" + "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}" }, - "linkerdNamespace": "{{.Namespace}}", + "autoInjectContext": null, "omitWebhookSideEffects": {{.OmitWebhookSideEffects}}, - "version": "{{.LinkerdVersion}}" + "clusterDomain": "{{.ClusterDomain}}" } {{- end -}} {{- define "linkerd.configs.proxy" -}} { - "adminPort":{ - "port": {{.Proxy.Ports.Admin}} + "proxyImage":{ + "imageName":"{{.Proxy.Image.Name}}", + "pullPolicy":"{{.Proxy.Image.PullPolicy}}" + }, + "proxyInitImage":{ + "imageName":"{{.ProxyInit.Image.Name}}", + "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" }, "controlPort":{ "port": {{.Proxy.Ports.Control}} }, - "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}}, "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}}, "inboundPort":{ "port": {{.Proxy.Ports.Inbound}} }, - "logLevel":{ - "level": "{{.Proxy.LogLevel}}" + "adminPort":{ + "port": {{.Proxy.Ports.Admin}} }, "outboundPort":{ "port": {{.Proxy.Ports.Outbound}} }, - "proxyImage":{ - "imageName":"{{.Proxy.Image.Name}}", - "pullPolicy":"{{.Proxy.Image.PullPolicy}}" - }, - "proxyInitImage":{ - "imageName":"{{.ProxyInit.Image.Name}}", - "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" - }, - "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}", - "proxyUid": {{.Proxy.UID}}, - "proxyVersion": "{{.Proxy.Image.Version}}", "resource":{ - "limitCpu": "{{.Proxy.Resources.CPU.Limit}}", - "limitMemory": "{{.Proxy.Resources.Memory.Limit}}", - "requestCpu": "{{.Proxy.Resources.CPU.Request}}", - "requestMemory": "{{.Proxy.Resources.Memory.Request}}" + "requestCpu": "{{ternary .Proxy.Resources.CPU.Request "" (eq .HighAvailability true)}}", + "requestMemory": "{{ternary .Proxy.Resources.Memory.Request "" (eq .HighAvailability true)}}" + "limitCpu": "{{ternary .Proxy.Resources.CPU.Limit "" (eq .HighAvailability true)}}", + "limitMemory": "{{ternary .Proxy.Resources.Memory.Limit "" (eq .HighAvailability true)}}", } + "proxyUid": {{.Proxy.UID}}, + "logLevel":{ + "level": "{{.Proxy.LogLevel}}" + }, + "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, + "proxyVersion": "{{.Proxy.Image.Version}}", + "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}", } {{- end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 5424aad53fb0b..7df54ff4f3bec 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -7,7 +7,10 @@ CNIEnabled: false # not supported in Linkerd 2.5 EnableH2Upgrade: true HighAvailability: false ImagePullPolicy: &image_pull_policy IfNotPresent + +# control plane version. See Proxy section for proxy version LinkerdVersion: &linkerd_version stable-2.4.0 + Namespace: linkerd OmitWebhookSideEffects: false @@ -19,7 +22,7 @@ ControllerResources: &controller_resources CPU: &controller_resources_cpu Limit: "1" Request: 100m - Memory: &controller_resources_memory + Memory: Limit: 250Mi Request: 50Mi ControllerUID: 2103 @@ -61,9 +64,10 @@ Identity: dr2WOek0EKHdx0PHRHD8ETYExScYM3bdNw== -----END EC PRIVATE KEY----- Resources: - CPU: - <<: *controller_resources_cpu - Memory: *controller_resources_memory + CPU: *controller_resources_cpu + Memory: + Limit: 250Mi + Request: 10Mi TrustDomain: *cluster_domain # grafana configuration @@ -84,11 +88,11 @@ PrometheusResources: # proxy configuration Proxy: - Capabilities: - Add: - Drop: + #Capabilities: + #Add: # list of capabilities to add + #Drop: # list of capabilities to drop DisableIdentity: false # inject-only options. Do not change during installation - DisableTap: false # inject-only option. Do not change during installation + DisableTap: false # inject-only option. Do not change during installation EnableExternalProfile: false Image: Name: gcr.io/linkerd-io/proxy @@ -112,9 +116,9 @@ Proxy: # proxy-init configuration ProxyInit: - Capabilities: - Add: - Drop: + #Capabilities: + #Add: # list of capabilities to add + #Drop: # list of capabilities to drop IgnoreInboundPorts: "" IgnoreOutboundPorts: "443" Image: @@ -147,12 +151,12 @@ WebImage: gcr.io/linkerd-io/web WebResources: <<: *controller_resources -# annotations +# control plane annotations - do not edit CreatedByAnnotation: linkerd.io/created-by ProxyInjectAnnotation: linkerd.io/inject ProxyInjectDisabled: disabled -# labels +# control plane labels - do not edit ControllerComponentLabel: linkerd.io/control-plane-component ControllerNamespaceLabel: linkerd.io/control-plane-ns LinkerdNamespaceLabel: linkerd.io/is-control-plane From f7d12061a910bcac356343606406226048266281 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Tue, 30 Jul 2019 22:10:15 -0700 Subject: [PATCH 28/43] Bug fixes Signed-off-by: Ivan Sim --- charts/linkerd/templates/controller.yaml | 7 ++----- charts/linkerd/templates/grafana.yaml | 5 +---- charts/linkerd/templates/heartbeat.yaml | 2 +- charts/linkerd/templates/identity.yaml | 5 +---- charts/linkerd/templates/prometheus.yaml | 2 +- charts/linkerd/templates/proxy-injector.yaml | 5 +---- charts/linkerd/templates/sp-validator.yaml | 5 +---- charts/linkerd/templates/tap.yaml | 5 +---- charts/linkerd/templates/web.yaml | 5 +---- charts/partials/Chart.yaml | 2 +- 10 files changed, 11 insertions(+), 32 deletions(-) diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 768017e325920..05a648b664e83 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -42,9 +42,6 @@ spec: port: 8086 targetPort: 8086 --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-controller" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -86,7 +83,7 @@ spec: - -tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088 - -controller-namespace={{.Namespace}} - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: @@ -118,7 +115,7 @@ spec: - -controller-namespace={{.Namespace}} - -enable-h2-upgrade={{.EnableH2Upgrade}} - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index 9710aed4baa12..0b9afe98d8b5d 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -83,9 +83,6 @@ spec: port: 3000 targetPort: 3000 --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-grafana" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -120,7 +117,7 @@ spec: - env: - name: GF_PATHS_DATA value: /data - image: {{.GrafanaImage}}:{{default $.Chart.AppVersion .GrafanaImageVersion}} + image: {{.GrafanaImage}}:{{default .LinkerdVersion .GrafanaImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index 6f05d47204c19..37b4fe0dd9a94 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -29,7 +29,7 @@ spec: restartPolicy: OnFailure containers: - name: heartbeat - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} args: - "heartbeat" diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index b73c18bfd5d5f..7cb3f856da275 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -43,9 +43,6 @@ spec: port: 8080 targetPort: 8080 --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-identity" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -84,7 +81,7 @@ spec: - args: - identity - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index 0eadaf7f64566..f6f7e86dceb39 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -113,7 +113,7 @@ spec: targetPort: 9090 --- {{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} +{{ $_ := set .Proxy.Image "Version" .LinkerdVersion -}} {{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-prometheus" -}} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 7df29d8cef88f..7feaa017d9475 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -4,9 +4,6 @@ ### Proxy Injector ### --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-proxy-injector" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -45,7 +42,7 @@ spec: - args: - proxy-injector - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index 097d9029775ea..0fc8fb56f0287 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -23,9 +23,6 @@ spec: port: 443 targetPort: sp-validator --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-sp-validator" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -64,7 +61,7 @@ spec: - args: - sp-validator - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index 8ae8e99e90cf7..79b2488d47deb 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -23,9 +23,6 @@ spec: port: 8088 targetPort: 8088 --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-tap" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -65,7 +62,7 @@ spec: - tap - -controller-namespace={{.Namespace}} - -log-level={{.ControllerLogLevel}} - image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 71ed28ec46205..76a7737e934d5 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -26,9 +26,6 @@ spec: port: 9994 targetPort: 9994 --- -{{ if empty .Proxy.Image.Version -}} -{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}} -{{ end -}} {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-web" -}} {{ include "linkerd.proxy.validation" .Proxy -}} @@ -65,7 +62,7 @@ spec: - -grafana-addr=linkerd-grafana.{{.Namespace}}.svc.{{.ClusterDomain}}:3000 - -controller-namespace={{.Namespace}} - -log-level={{.ControllerLogLevel}} - image: {{.WebImage}}:{{default $.Chart.AppVersion .WebImageVersion}} + image: {{.WebImage}}:{{default .LinkerdVersion .WebImageVersion}} imagePullPolicy: {{.ImagePullPolicy}} livenessProbe: httpGet: diff --git a/charts/partials/Chart.yaml b/charts/partials/Chart.yaml index ddfb6c2925ef7..3a753e689f302 100644 --- a/charts/partials/Chart.yaml +++ b/charts/partials/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: stable-v2.4.0 +appVersion: stable-2.4.0 description: A Helm chart containing Linkerd partial templates, depended by the 'linkerd' and 'patch' charts. name: partials version: 0.1.0 From e64c75faf468a85378dbee4a848ae490d738bfb2 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 15:03:48 -0700 Subject: [PATCH 29/43] Re-adjust nested partials indentation to work with inject 'patch' chart Previously, the partials will render their content as an element in the list. While it works for installation, the toJson function in the 'inject' patch code ends up converting it into a JSON list, instead of the expected JSON object. Signed-off-by: Ivan Sim --- charts/linkerd/templates/controller.yaml | 6 +- charts/linkerd/templates/grafana.yaml | 6 +- charts/linkerd/templates/heartbeat.yaml | 2 +- charts/linkerd/templates/identity.yaml | 6 +- charts/linkerd/templates/prometheus.yaml | 6 +- charts/linkerd/templates/proxy-injector.yaml | 6 +- .../linkerd/templates/sp-validator-rbac.yaml | 2 +- charts/linkerd/templates/sp-validator.yaml | 6 +- charts/linkerd/templates/tap.yaml | 6 +- charts/linkerd/templates/web.yaml | 6 +- charts/linkerd/values.yaml | 41 ++-- charts/partials/templates/_debug.tpl | 8 +- charts/partials/templates/_proxy-init.tpl | 83 ++++---- charts/partials/templates/_proxy.tpl | 198 +++++++++--------- charts/partials/templates/_volumes.tpl | 6 +- 15 files changed, 200 insertions(+), 188 deletions(-) diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 05a648b664e83..659a889d7ded1 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -141,13 +141,13 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-controller volumes: - configMap: name: linkerd-config name: config - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{end -}} diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index 0b9afe98d8b5d..c01c8c710b0d5 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -143,9 +143,9 @@ spec: - mountPath: /etc/grafana name: grafana-config readOnly: true - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-grafana volumes: - emptyDir: {} @@ -160,5 +160,5 @@ spec: path: provisioning/dashboards/dashboards.yaml name: linkerd-grafana-config name: grafana-config - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{end -}} diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index 37b4fe0dd9a94..c77980be2ce46 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -26,7 +26,7 @@ spec: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} spec: serviceAccountName: linkerd-heartbeat - restartPolicy: OnFailure + restartPolicy: Never containers: - name: heartbeat image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index 7cb3f856da275..b0de903ec0ffa 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -109,9 +109,9 @@ spec: name: config - mountPath: /var/run/linkerd/identity/issuer name: identity-issuer - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-identity volumes: - configMap: @@ -120,6 +120,6 @@ spec: - name: identity-issuer secret: secretName: linkerd-identity-issuer - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{end -}} {{end -}} diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index f6f7e86dceb39..667cc13fe659f 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -180,9 +180,9 @@ spec: - mountPath: /etc/prometheus name: prometheus-config readOnly: true - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-prometheus volumes: - emptyDir: {} @@ -190,5 +190,5 @@ spec: - configMap: name: linkerd-prometheus-config name: prometheus-config - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{ end -}} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 7feaa017d9475..8e3f55aff7282 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -71,9 +71,9 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-proxy-injector volumes: - configMap: @@ -82,7 +82,7 @@ spec: - name: tls secret: secretName: linkerd-proxy-injector-tls - {{- include "partials.proxy.volumes.identity" . | nindent 6 }} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} --- kind: Service apiVersion: v1 diff --git a/charts/linkerd/templates/sp-validator-rbac.yaml b/charts/linkerd/templates/sp-validator-rbac.yaml index 0a8fc8e26b2cf..e542763785c34 100644 --- a/charts/linkerd/templates/sp-validator-rbac.yaml +++ b/charts/linkerd/templates/sp-validator-rbac.yaml @@ -79,7 +79,7 @@ webhooks: apiGroups: ["linkerd.io"] apiVersions: ["v1alpha1", "v1alpha2"] resources: ["serviceprofiles"] - {{- if empty .OmitWebhookSideEffects }} + {{- if not .OmitWebhookSideEffects }} sideEffects: None {{- end -}} {{end -}} diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index 0fc8fb56f0287..dde76367ea932 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -88,13 +88,13 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-sp-validator volumes: - name: tls secret: secretName: linkerd-sp-validator-tls - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{end -}} diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index 79b2488d47deb..c81a7415f9ec3 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -85,10 +85,10 @@ spec: {{- end }} securityContext: runAsUser: {{.ControllerUID}} - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-tap volumes: - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{- end -}} diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 76a7737e934d5..1f167ed306bde 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -88,13 +88,13 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" . | nindent 6 -}} + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | nindent 6 }} + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-web volumes: - configMap: name: linkerd-config name: config - {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} {{end -}} diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 7df54ff4f3bec..9e85a5e38fc43 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -39,19 +39,21 @@ Identity: # PEM encoded certificate CrtPEM: | -----BEGIN CERTIFICATE----- - MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 - eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 - MDMxNzA4WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j - YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATwPFIAEAosip9WpovFw3MrJQ3W - NqCzU54MXTMUEaNQBNcHyzz8xfZ2vZY56TQQod3HQ8dEcPwRNgTFJxgzdt03o0Iw + MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI4MjMxODEzWhcNMjAwNzI3 + MjMxODMzWjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRnMzvjn+4MpDtsLEseoWlBzrF + S0iGBVFLD0mYDbRzHDjCzwAvOA3y884B+UYysCOFS9E5O96Q7ftf3FySFGkHo0Iw QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC - MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJpWjlDgXGo8hgvr - WX/H+QmI4sSA3EiW1J9ZNweS94UsAiB9IN9rkv/b47tYsynZCpLTzSeF7+16VdyI - DT1weqC2Vg== + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKG6GF0/tRTj9IWH + 3ntw1IpGD3uIxbJjWzl2nVDmqRawAiEAir+H+rVfGWL+UO8EiqtiRSm39hV7qA1g + N1B+Z/vF63s= -----END CERTIFICATE----- - # Must match the expiry date in CrtPEM - CrtExpiry: 2020-07-25T03:17:08Z + # must match the expiry date in CrtPEM + CrtExpiry: 2020-07-27T23:18:33Z + + # control plane annotation - do not edit CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry IssuanceLifeTime: 86400s @@ -59,9 +61,9 @@ Identity: # PEM encode ECDSA private key KeyPEM: | -----BEGIN EC PRIVATE KEY----- - MHcCAQEEINfi1j8CjonK4FCuDoCUPXRxVMNResGsQDbFqEXTUeJUoAoGCCqGSM49 - AwEHoUQDQgAE8DxSABAKLIqfVqaLxcNzKyUN1jags1OeDF0zFBGjUATXB8s8/MX2 - dr2WOek0EKHdx0PHRHD8ETYExScYM3bdNw== + MHcCAQEEIGTGK1a6wufBFXuugI9uQ6zQ77TUyMZOvu5DrzAZC++5oAoGCCqGSM49 + AwEHoUQDQgAEkZzM745/uDKQ7bCxLHqFpQc6xUtIhgVRSw9JmA20cxw4ws8ALzgN + 8vPOAflGMrAjhUvROTvekO37X9xckhRpBw== -----END EC PRIVATE KEY----- Resources: CPU: *controller_resources_cpu @@ -84,7 +86,12 @@ HeartbeatSchedule: "0 0 * * * " PrometheusImage: prom/prometheus:v2.11.1 PrometheusLogLevel: *controller_log_level PrometheusResources: - <<: *controller_resources + CPU: + Limit: "4" + Request: 300m + Memory: + Limit: 8192Mi + Request: 300Mi # proxy configuration Proxy: @@ -99,7 +106,6 @@ Proxy: PullPolicy: *image_pull_policy Version: *linkerd_version LogLevel: warn,linkerd2_proxy=info - MountPaths: Ports: Admin: 4191 Control: 4190 @@ -112,6 +118,7 @@ Proxy: Memory: Limit: 250Mi Request: 20Mi + SAMountPath: # inject-only option. Do not change during installation UID: 2102 # proxy-init configuration @@ -120,12 +127,11 @@ ProxyInit: #Add: # list of capabilities to add #Drop: # list of capabilities to drop IgnoreInboundPorts: "" - IgnoreOutboundPorts: "443" + IgnoreOutboundPorts: "" Image: Name: gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy Version: v1.0.0 - MountPath: Resources: CPU: Limit: 100m @@ -133,6 +139,7 @@ ProxyInit: Memory: Limit: 50Mi Request: 10Mi + SAMountPath: # inject-only option. Do not change during installation # proxy injector configuration ProxyInjectorResources: diff --git a/charts/partials/templates/_debug.tpl b/charts/partials/templates/_debug.tpl index 993f305439da9..5e984c8842176 100644 --- a/charts/partials/templates/_debug.tpl +++ b/charts/partials/templates/_debug.tpl @@ -1,6 +1,6 @@ {{- define "partials.debug" -}} -- image: {{.Image.Name}}:{{.Image.Version}} - imagePullPolicy: {{.Image.PullPolicy}} - name: linkerd-debug - terminationMessagePolicy: FallbackToLogsOnError +image: {{.Image.Name}}:{{.Image.Version}} +imagePullPolicy: {{.Image.PullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError {{- end -}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 0e66d62bf3cb3..f0df967e45eec 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -1,40 +1,45 @@ {{- define "partials.proxy-init" -}} -- args: - - --incoming-proxy-port - - {{.Proxy.Ports.Inbound | quote}} - - --outgoing-proxy-port - - {{.Proxy.Ports.Outbound | quote}} - - --proxy-uid - - {{.Proxy.UID | quote}} - - --inbound-ports-to-ignore - - {{.Proxy.Ports.Control}},{{.Proxy.Ports.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (not (empty .ProxyInit.IgnoreInboundPorts))}} - - --outbound-ports-to-ignore - - {{.ProxyInit.IgnoreOutboundPorts | quote}} - image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} - imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} - name: linkerd-init - {{- include "partials.resources" .ProxyInit.Resources | nindent 2 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - {{- if .ProxyInit.Capabilities -}} - {{- if .ProxyInit.Capabilities.Add }} - {{- toYaml .ProxyInit.Capabilities.Add | trim | nindent 6 }} - {{- end }} - {{- if .ProxyInit.Capabilities.Drop -}} - {{- include "partials.proxy-init.capabilities.drop" .ProxyInit | nindent 6 -}} - {{- end }} - {{- end }} - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - {{- if .ProxyInit.MountPaths }} - volumeMounts: - {{- toYaml .ProxyInit.MountPaths | trim | nindent 2 -}} - {{- end }} -{{- end -}} +args: +- --incoming-proxy-port +- {{.Proxy.Ports.Inbound | quote}} +- --outgoing-proxy-port +- {{.Proxy.Ports.Outbound | quote}} +- --proxy-uid +- {{.Proxy.UID | quote}} +- --inbound-ports-to-ignore +- {{.Proxy.Ports.Control}},{{.Proxy.Ports.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (not (empty .ProxyInit.IgnoreInboundPorts)) }} +{{- if hasPrefix "linkerd-" .Proxy.Component }} +- --outbound-ports-to-ignore +- {{ternary (printf "443,%s" .ProxyInit.IgnoreOutboundPorts) (quote "443") (not (empty .ProxyInit.IgnoreOutboundPorts)) }} +{{- else if .ProxyInit.IgnoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.ProxyInit.IgnoreOutboundPorts | quote}} +{{- end }} +image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} +imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} +name: linkerd-init +{{ include "partials.resources" .ProxyInit.Resources }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .ProxyInit.Capabilities -}} + {{- if .ProxyInit.Capabilities.Add }} + {{- toYaml .ProxyInit.Capabilities.Add | trim | nindent 4 }} + {{- end }} + {{- if .ProxyInit.Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" .ProxyInit | nindent 4 -}} + {{- end }} + {{- end }} + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 +terminationMessagePolicy: FallbackToLogsOnError +{{- if .ProxyInit.SAMountPath }} +volumeMounts: +- {{- toYaml .Proxy.SAMountPath | indent 2 | trimPrefix " " -}} +{{- end }} +{{- end }} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 9e8730c4b38d1..65aaaa8dd2986 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -1,103 +1,103 @@ {{ define "partials.proxy" -}} -- env: - - name: LINKERD2_PROXY_LOG - value: {{.Proxy.LogLevel}} - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Ports.Control}} - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Ports.Admin}} - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:{{.Proxy.Ports.Outbound}} - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:{{.Proxy.Ports.Inbound}} - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} - value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - {{ if eq .Proxy.Component "linkerd-prometheus" -}} - - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY - value: "10000" - {{ end -}} - {{ if .Proxy.DisableIdentity -}} - - name: LINKERD2_PROXY_IDENTITY_DISABLED - value: disabled - {{ else -}} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - {{- .Identity.Issuer.CrtPEM | trim | nindent 6 }} - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .Namespace .ClusterDomain }} - value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Proxy.Component "linkerd-identity")}} - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: {{.Namespace}} - - name: _l5d_trustdomain - value: {{.Identity.TrustDomain}} - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - {{ end -}} - {{ if .Proxy.DisableTap -}} - - name: LINKERD2_PROXY_TAP_DISABLED - value: "true" - {{ else -}} - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - {{ end -}} - image: {{.Proxy.Image.Name}}:{{.Proxy.Image.Version}} - imagePullPolicy: {{.Proxy.Image.PullPolicy}} - livenessProbe: - httpGet: - path: /metrics - port: {{.Proxy.Ports.Admin}} - initialDelaySeconds: 10 +env: +- name: LINKERD2_PROXY_LOG + value: {{.Proxy.LogLevel}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Control}} +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Admin}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:{{.Proxy.Ports.Outbound}} +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Inbound}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} + value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) +{{ if eq .Proxy.Component "linkerd-prometheus" -}} +- name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" +{{ end -}} +{{ if .Proxy.DisableIdentity -}} +- name: LINKERD2_PROXY_IDENTITY_DISABLED + value: disabled +{{ else -}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + {{- .Identity.Issuer.CrtPEM | trim | nindent 4 }} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .Namespace .ClusterDomain }} + value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Proxy.Component "linkerd-identity")}} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Namespace}} +- name: _l5d_trustdomain + value: {{.Identity.TrustDomain}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +{{ end -}} +{{ if .Proxy.DisableTap -}} +- name: LINKERD2_PROXY_TAP_DISABLED + value: "true" +{{ else -}} +- name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +{{ end -}} +image: {{.Proxy.Image.Name}}:{{.Proxy.Image.Version}} +imagePullPolicy: {{.Proxy.Image.PullPolicy}} +livenessProbe: + httpGet: + path: /metrics + port: {{.Proxy.Ports.Admin}} + initialDelaySeconds: 10 +name: linkerd-proxy +ports: +- containerPort: {{.Proxy.Ports.Inbound}} name: linkerd-proxy - ports: - - containerPort: {{.Proxy.Ports.Inbound}} - name: linkerd-proxy - - containerPort: {{.Proxy.Ports.Admin}} - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: {{.Proxy.Ports.Admin}} - initialDelaySeconds: 2 - {{- if eq .HighAvailability true -}} - {{- include "partials.resources" .Proxy.Resources | nindent 2 -}} +- containerPort: {{.Proxy.Ports.Admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Proxy.Ports.Admin}} + initialDelaySeconds: 2 +{{- if eq .HighAvailability true }} +{{ include "partials.resources" .Proxy.Resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Proxy.Capabilities -}} + {{- include "partials.proxy.capabilities" .Proxy | nindent 2 -}} {{- end }} - securityContext: - allowPrivilegeEscalation: false - {{- if .Proxy.Capabilities -}} - {{- include "partials.proxy.capabilities" .Proxy | nindent 4 -}} - {{- end }} - readOnlyRootFilesystem: true - runAsUser: {{.Proxy.UID}} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - {{- if .Proxy.MountPaths }} - {{- toYaml .Proxy.MountPaths | trim | nindent 2 -}} + readOnlyRootFilesystem: true + runAsUser: {{.Proxy.UID}} +terminationMessagePolicy: FallbackToLogsOnError +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + {{- if .Proxy.SAMountPath }} +- {{- toYaml .Proxy.SAMountPath | indent 2 | trimPrefix " " -}} {{- end }} -{{ end -}} +{{- end }} diff --git a/charts/partials/templates/_volumes.tpl b/charts/partials/templates/_volumes.tpl index cc863736291e9..9162167164c50 100644 --- a/charts/partials/templates/_volumes.tpl +++ b/charts/partials/templates/_volumes.tpl @@ -1,5 +1,5 @@ {{ define "partials.proxy.volumes.identity" -}} -- emptyDir: - medium: Memory - name: linkerd-identity-end-entity +emptyDir: + medium: Memory +name: linkerd-identity-end-entity {{- end -}} From f423e273b09df63d657898f08cad2d6d935d49c9 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 15:05:13 -0700 Subject: [PATCH 30/43] Trap the last fail command in the Helm shell script Signed-off-by: Ivan Sim --- bin/helm.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/helm.sh b/bin/helm.sh index 12bfd8097939e..8050bd294a732 100755 --- a/bin/helm.sh +++ b/bin/helm.sh @@ -1,6 +1,9 @@ #!/bin/bash -set -eu +set -e + +# trap the last failed command +trap 'printf "Error on exit:\n Exit code: $?\n Failed command: \"$BASH_COMMAND\"\n"' ERR bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" rootdir="$( cd $bindir/.. && pwd )" @@ -13,5 +16,8 @@ helm lint $rootdir/charts/linkerd # if tiller is deployed, perform a dry run installation to check for errors if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then echo "Performing dry run installation" - helm install --name=linkerd --dry-run charts/linkerd + helm install --name=linkerd --dry-run charts/linkerd 2> /dev/null + + echo "Performing dry run installation (HA mode)" + helm install --name=linkerd --dry-run --set HighAvailability=true charts/linkerd 2> /dev/null fi From dac0e3a9f5fea0713350ad7da2aa764b2b7ed779 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 19:31:16 -0700 Subject: [PATCH 31/43] Add the identity trust anchor Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 2 +- charts/linkerd/values.yaml | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index 301109e5594e6..4b46112ef8716 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -5,7 +5,7 @@ "version": "{{.LinkerdVersion}}", "identityContext":{ "trustDomain": "{{.Identity.TrustDomain}}", - "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM | replace "\n" "\\n"}}", + "trustAnchorsPem": "{{.Identity.TrustAnchorsPEM | replace "\n" "\\n"}}", "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}" }, diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 9e85a5e38fc43..474b389bdc086 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -36,7 +36,7 @@ Identity: Issuer: ClockSkewAllowance: 20s - # PEM encoded certificate + # PEM-encoded certificate CrtPEM: | -----BEGIN CERTIFICATE----- MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 @@ -58,18 +58,33 @@ Identity: IssuanceLifeTime: 86400s - # PEM encode ECDSA private key + # PEM-encoded ECDSA private key KeyPEM: | -----BEGIN EC PRIVATE KEY----- MHcCAQEEIGTGK1a6wufBFXuugI9uQ6zQ77TUyMZOvu5DrzAZC++5oAoGCCqGSM49 AwEHoUQDQgAEkZzM745/uDKQ7bCxLHqFpQc6xUtIhgVRSw9JmA20cxw4ws8ALzgN 8vPOAflGMrAjhUvROTvekO37X9xckhRpBw== -----END EC PRIVATE KEY----- + Resources: CPU: *controller_resources_cpu Memory: Limit: 250Mi Request: 10Mi + + TrustAnchorsPEM: | + -----BEGIN CERTIFICATE----- + MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI4MjMxODEzWhcNMjAwNzI3 + MjMxODMzWjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRnMzvjn+4MpDtsLEseoWlBzrF + S0iGBVFLD0mYDbRzHDjCzwAvOA3y884B+UYysCOFS9E5O96Q7ftf3FySFGkHo0Iw + QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKG6GF0/tRTj9IWH + 3ntw1IpGD3uIxbJjWzl2nVDmqRawAiEAir+H+rVfGWL+UO8EiqtiRSm39hV7qA1g + N1B+Z/vF63s= + -----END CERTIFICATE----- + TrustDomain: *cluster_domain # grafana configuration From 0f629ef2bd1c8dc3cbdc62d2ce42593b43bb1b40 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 21:31:08 -0700 Subject: [PATCH 32/43] Address Thomas' feedback on handling HA All the HA-related variables are moved to values-ha.yaml Signed-off-by: Ivan Sim --- bin/helm.sh | 4 +- charts/linkerd/templates/_config.tpl | 10 ++-- charts/linkerd/templates/controller.yaml | 8 +-- charts/linkerd/templates/grafana.yaml | 2 +- charts/linkerd/templates/heartbeat.yaml | 2 +- charts/linkerd/templates/identity.yaml | 6 +-- charts/linkerd/templates/prometheus.yaml | 2 +- .../templates/proxy-injector-rbac.yaml | 2 +- charts/linkerd/templates/proxy-injector.yaml | 6 +-- .../linkerd/templates/sp-validator-rbac.yaml | 2 +- charts/linkerd/templates/sp-validator.yaml | 6 +-- charts/linkerd/templates/tap.yaml | 6 +-- charts/linkerd/templates/web.yaml | 2 +- charts/linkerd/values.yaml | 54 ++++--------------- charts/partials/templates/_metadata.tpl | 2 +- charts/partials/templates/_proxy.tpl | 4 +- 16 files changed, 43 insertions(+), 75 deletions(-) diff --git a/bin/helm.sh b/bin/helm.sh index 8050bd294a732..20e61d6c5d2e2 100755 --- a/bin/helm.sh +++ b/bin/helm.sh @@ -16,8 +16,8 @@ helm lint $rootdir/charts/linkerd # if tiller is deployed, perform a dry run installation to check for errors if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then echo "Performing dry run installation" - helm install --name=linkerd --dry-run charts/linkerd 2> /dev/null + helm install --name=linkerd --dry-run $rootdir/charts/linkerd 2> /dev/null echo "Performing dry run installation (HA mode)" - helm install --name=linkerd --dry-run --set HighAvailability=true charts/linkerd 2> /dev/null + helm install --name=linkerd --dry-run -f $rootdir/charts/linkerd/values.yaml -f $rootdir/charts/linkerd/values-ha.yaml charts/linkerd 2> /dev/null fi diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index 4b46112ef8716..f99b35af7a822 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -1,7 +1,7 @@ {{- define "linkerd.configs.global" -}} { "linkerdNamespace": "{{.Namespace}}", - "cniEnabled": {{.CNIEnabled}}, + "cniEnabled": false, "version": "{{.LinkerdVersion}}", "identityContext":{ "trustDomain": "{{.Identity.TrustDomain}}", @@ -40,10 +40,10 @@ "port": {{.Proxy.Ports.Outbound}} }, "resource":{ - "requestCpu": "{{ternary .Proxy.Resources.CPU.Request "" (eq .HighAvailability true)}}", - "requestMemory": "{{ternary .Proxy.Resources.Memory.Request "" (eq .HighAvailability true)}}" - "limitCpu": "{{ternary .Proxy.Resources.CPU.Limit "" (eq .HighAvailability true)}}", - "limitMemory": "{{ternary .Proxy.Resources.Memory.Limit "" (eq .HighAvailability true)}}", + "requestCpu": "{{.Proxy.Resources.CPU.Request}}", + "limitCpu": "{{.Proxy.Resources.CPU.Limit}}", + "requestMemory": "{{.Proxy.Resources.Memory.Request}}", + "limitMemory": "{{.Proxy.Resources.Memory.Limit}}" } "proxyUid": {{.Proxy.UID}}, "logLevel":{ diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 659a889d7ded1..ef846573792aa 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -56,7 +56,7 @@ metadata: name: linkerd-controller namespace: {{.Namespace}} spec: - replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + replicas: {{.ControllerReplicas}} selector: matchLabels: {{.ControllerComponentLabel}}: controller @@ -72,7 +72,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .HighAvailability true -}} + {{- if eq .EnablePodAntiAffinity true -}} {{- $local := dict "Component" "controller" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} @@ -101,7 +101,7 @@ spec: httpGet: path: /ready port: 9995 - {{- if eq .HighAvailability true -}} + {{- if .PublicAPIResources -}} {{- include "partials.resources" .PublicAPIResources | nindent 8 }} {{- end }} securityContext: @@ -133,7 +133,7 @@ spec: httpGet: path: /ready port: 9996 - {{- if eq .HighAvailability true -}} + {{- if .DestinationResources -}} {{- include "partials.resources" .DestinationResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index c01c8c710b0d5..81584fd5ff7bb 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -132,7 +132,7 @@ spec: httpGet: path: /api/health port: 3000 - {{- if eq .HighAvailability true -}} + {{- if .GrafanaResources -}} {{- include "partials.resources" .GrafanaResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml index c77980be2ce46..3a54c9c9f6d55 100644 --- a/charts/linkerd/templates/heartbeat.yaml +++ b/charts/linkerd/templates/heartbeat.yaml @@ -36,7 +36,7 @@ spec: - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090" - "-controller-namespace={{.Namespace}}" - "-log-level={{.ControllerLogLevel}}" - {{- if eq .HighAvailability true -}} + {{- if .HeartbeatResources -}} {{- include "partials.resources" .HeartbeatResources | nindent 12 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index b0de903ec0ffa..922603a96b28d 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -57,7 +57,7 @@ metadata: name: linkerd-identity namespace: {{.Namespace}} spec: - replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + replicas: {{.ControllerReplicas}} selector: matchLabels: {{.ControllerComponentLabel}}: identity @@ -73,7 +73,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .HighAvailability true -}} + {{- if .EnablePodAntiAffinity -}} {{- $local := dict "Component" "identity" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} @@ -99,7 +99,7 @@ spec: httpGet: path: /ready port: 9990 - {{- if eq .HighAvailability true -}} + {{- if .Identity.Resources -}} {{- include "partials.resources" .Identity.Resources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index 667cc13fe659f..f06d0bfe4a2ff 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -169,7 +169,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - {{- if eq .HighAvailability true -}} + {{- if .PrometheusResources -}} {{- include "partials.resources" .PrometheusResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/proxy-injector-rbac.yaml b/charts/linkerd/templates/proxy-injector-rbac.yaml index 68827ded2896b..0c5436ef91bc7 100644 --- a/charts/linkerd/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd/templates/proxy-injector-rbac.yaml @@ -83,7 +83,7 @@ webhooks: namespace: {{ .Namespace }} path: "/" caBundle: {{ b64enc $ca.Cert }} - failurePolicy: {{ternary "Fail" "Ignore" (eq .HighAvailability true)}} + failurePolicy: {{.WebhookFailurePolicy}} rules: - operations: [ "CREATE" ] apiGroups: [""] diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 8e3f55aff7282..4129969f5c500 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -18,7 +18,7 @@ metadata: name: linkerd-proxy-injector namespace: {{.Namespace}} spec: - replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + replicas: {{.ControllerReplicas}} selector: matchLabels: {{.ControllerComponentLabel}}: proxy-injector @@ -34,7 +34,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .HighAvailability true -}} + {{- if .EnablePodAntiAffinity -}} {{- $local := dict "Component" "proxy-injector" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} @@ -60,7 +60,7 @@ spec: httpGet: path: /ready port: 9995 - {{- if eq .HighAvailability true -}} + {{- if .ProxyInjectorResources -}} {{- include "partials.resources" .ProxyInjectorResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/sp-validator-rbac.yaml b/charts/linkerd/templates/sp-validator-rbac.yaml index e542763785c34..7792a503c3fae 100644 --- a/charts/linkerd/templates/sp-validator-rbac.yaml +++ b/charts/linkerd/templates/sp-validator-rbac.yaml @@ -73,7 +73,7 @@ webhooks: namespace: {{ .Namespace }} path: "/" caBundle: {{ b64enc $ca.Cert }} - failurePolicy: {{ternary "Fail" "Ignore" (eq .HighAvailability true)}} + failurePolicy: {{.WebhookFailurePolicy}} rules: - operations: [ "CREATE" , "UPDATE" ] apiGroups: ["linkerd.io"] diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index dde76367ea932..85a2901ba5f42 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -37,7 +37,7 @@ metadata: name: linkerd-sp-validator namespace: {{.Namespace}} spec: - replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + replicas: {{.ControllerReplicas}} selector: matchLabels: {{.ControllerComponentLabel}}: sp-validator @@ -53,7 +53,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .HighAvailability true -}} + {{- if .EnablePodAntiAffinity -}} {{- $local := dict "Component" "sp-validator" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} @@ -79,7 +79,7 @@ spec: httpGet: path: /ready port: 9997 - {{- if eq .HighAvailability true -}} + {{- if .SPValidatorResources -}} {{- include "partials.resources" .SPValidatorResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index c81a7415f9ec3..4148dfb798300 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -37,7 +37,7 @@ metadata: name: linkerd-tap namespace: {{.Namespace}} spec: - replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}} + replicas: {{.ControllerReplicas}} selector: matchLabels: {{.ControllerComponentLabel}}: tap @@ -53,7 +53,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .HighAvailability true -}} + {{- if .EnablePodAntiAffinity -}} {{- $local := dict "Component" "tap" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} @@ -80,7 +80,7 @@ spec: httpGet: path: /ready port: 9998 - {{- if eq .HighAvailability true -}} + {{- if .TapResources -}} {{- include "partials.resources" .TapResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 1f167ed306bde..49b379d51deee 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -80,7 +80,7 @@ spec: httpGet: path: /ready port: 9994 - {{- if eq .HighAvailability true -}} + {{- if .WebResources -}} {{- include "partials.resources" .WebResources | nindent 8 }} {{- end }} securityContext: diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 474b389bdc086..99f8125d7be9c 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -3,9 +3,8 @@ # Declare variables to be passed into your templates. ClusterDomain: &cluster_domain cluster.local -CNIEnabled: false # not supported in Linkerd 2.5 EnableH2Upgrade: true -HighAvailability: false +EnablePodAntiAffinity: false ImagePullPolicy: &image_pull_policy IfNotPresent # control plane version. See Proxy section for proxy version @@ -13,23 +12,13 @@ LinkerdVersion: &linkerd_version stable-2.4.0 Namespace: linkerd OmitWebhookSideEffects: false +WebhookFailurePolicy: Ignore # controller configuration ControllerImage: gcr.io/linkerd-io/controller ControllerLogLevel: &controller_log_level info -ControllerReplicas: 3 -ControllerResources: &controller_resources - CPU: &controller_resources_cpu - Limit: "1" - Request: 100m - Memory: - Limit: 250Mi - Request: 50Mi +ControllerReplicas: 1 ControllerUID: 2103 -DestinationResources: - <<: *controller_resources -PublicAPIResources: - <<: *controller_resources # identity configuration Identity: @@ -66,12 +55,6 @@ Identity: 8vPOAflGMrAjhUvROTvekO37X9xckhRpBw== -----END EC PRIVATE KEY----- - Resources: - CPU: *controller_resources_cpu - Memory: - Limit: 250Mi - Request: 10Mi - TrustAnchorsPEM: | -----BEGIN CERTIFICATE----- MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 @@ -89,24 +72,13 @@ Identity: # grafana configuration GrafanaImage: gcr.io/linkerd-io/grafana -GrafanaResources: - <<: *controller_resources # heartbeat configuration -HeartbeatResources: - <<: *controller_resources HeartbeatSchedule: "0 0 * * * " # prometheus configuration PrometheusImage: prom/prometheus:v2.11.1 PrometheusLogLevel: *controller_log_level -PrometheusResources: - CPU: - Limit: "4" - Request: 300m - Memory: - Limit: 8192Mi - Request: 300Mi # proxy configuration Proxy: @@ -128,11 +100,11 @@ Proxy: Outbound: 4140 Resources: CPU: - Limit: "1" - Request: 100m + Limit: + Request: Memory: - Limit: 250Mi - Request: 20Mi + Limit: + Request: SAMountPath: # inject-only option. Do not change during installation UID: 2102 @@ -157,21 +129,17 @@ ProxyInit: SAMountPath: # inject-only option. Do not change during installation # proxy injector configuration -ProxyInjectorResources: - <<: *controller_resources +#ProxyInjectorResources: *controller_resources # service profile validator configuration -SPValidatorResources: - <<: *controller_resources +#SPValidatorResources: *controller_resources # tap configuration -TapResources: - <<: *controller_resources +#TapResources: *controller_resources # web configuration WebImage: gcr.io/linkerd-io/web -WebResources: - <<: *controller_resources +#WebResources: *controller_resources # control plane annotations - do not edit CreatedByAnnotation: linkerd.io/created-by diff --git a/charts/partials/templates/_metadata.tpl b/charts/partials/templates/_metadata.tpl index 8fe5c100387de..0ccff6b2c8f16 100644 --- a/charts/partials/templates/_metadata.tpl +++ b/charts/partials/templates/_metadata.tpl @@ -1,5 +1,5 @@ {{- define "partials.proxy.annotations" -}} -linkerd.io/identity-mode: {{ternary "disabled" "default" (eq .DisableIdentity true)}} +linkerd.io/identity-mode: {{ternary "default" "disabled" (not .DisableIdentity)}} linkerd.io/proxy-version: {{.Image.Version}} {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 65aaaa8dd2986..ce36194a1050d 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -37,7 +37,7 @@ env: value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .Identity.Issuer.CrtPEM | trim | nindent 4 }} + {{- .Identity.TrustAnchorsPEM | trim | nindent 4 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR @@ -83,7 +83,7 @@ readinessProbe: path: /ready port: {{.Proxy.Ports.Admin}} initialDelaySeconds: 2 -{{- if eq .HighAvailability true }} +{{- if .Proxy.Resources }} {{ include "partials.resources" .Proxy.Resources }} {{- end }} securityContext: From 9ddf87d1786fd35c1066ae88ddc07b5053e3464b Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 23:12:47 -0700 Subject: [PATCH 33/43] Convert ignore ports string to JSON list in linkerd-config Also fixed some indentation issues. Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 20 ++++++++++++++++++-- charts/linkerd/values.yaml | 10 ---------- charts/partials/templates/_capabilities.tpl | 4 ++-- charts/partials/templates/_proxy-init.tpl | 2 +- charts/partials/templates/_proxy.tpl | 4 ++-- charts/partials/templates/_resources.tpl | 8 ++++---- 6 files changed, 27 insertions(+), 21 deletions(-) diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index f99b35af7a822..a160ef72247ee 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -28,8 +28,24 @@ "controlPort":{ "port": {{.Proxy.Ports.Control}} }, - "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}}, - "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}}, + "ignoreInboundPorts":[ + {{- $ports := splitList "," .ProxyInit.IgnoreInboundPorts -}} + {{- if gt (len $ports) 1}} + {{- $last := sub (len $ports) 1 -}} + {{- range $i,$port := $ports -}} + {"port":{{$port}}}{{ternary "," "" (ne $i $last)}} + {{- end -}} + {{- end -}} + ], + "ignoreOutboundPorts":[ + {{- $ports := splitList "," .ProxyInit.IgnoreOutboundPorts -}} + {{- if gt (len $ports) 1}} + {{- $last := sub (len $ports) 1 -}} + {{- range $i,$port := $ports -}} + {"port":{{$port}}}{{ternary "," "" (ne $i $last)}} + {{- end -}} + {{- end -}} + ], "inboundPort":{ "port": {{.Proxy.Ports.Inbound}} }, diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 99f8125d7be9c..f2000870af947 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -82,11 +82,6 @@ PrometheusLogLevel: *controller_log_level # proxy configuration Proxy: - #Capabilities: - #Add: # list of capabilities to add - #Drop: # list of capabilities to drop - DisableIdentity: false # inject-only options. Do not change during installation - DisableTap: false # inject-only option. Do not change during installation EnableExternalProfile: false Image: Name: gcr.io/linkerd-io/proxy @@ -105,14 +100,10 @@ Proxy: Memory: Limit: Request: - SAMountPath: # inject-only option. Do not change during installation UID: 2102 # proxy-init configuration ProxyInit: - #Capabilities: - #Add: # list of capabilities to add - #Drop: # list of capabilities to drop IgnoreInboundPorts: "" IgnoreOutboundPorts: "" Image: @@ -126,7 +117,6 @@ ProxyInit: Memory: Limit: 50Mi Request: 10Mi - SAMountPath: # inject-only option. Do not change during installation # proxy injector configuration #ProxyInjectorResources: *controller_resources diff --git a/charts/partials/templates/_capabilities.tpl b/charts/partials/templates/_capabilities.tpl index 48eca891c2426..49d47fe542222 100644 --- a/charts/partials/templates/_capabilities.tpl +++ b/charts/partials/templates/_capabilities.tpl @@ -2,11 +2,11 @@ capabilities: {{- if .Capabilities.Add }} add: - {{- toYaml .Capabilities.Add | trim | nindent 2 }} + {{- toYaml .Capabilities.Add | trim | nindent 4 }} {{- end }} {{- if .Capabilities.Drop }} drop: - {{- toYaml .Capabilities.Drop | trim | nindent 2 }} + {{- toYaml .Capabilities.Drop | trim | nindent 4 }} {{- end }} {{- end -}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index f0df967e45eec..417e608b08d39 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -40,6 +40,6 @@ securityContext: terminationMessagePolicy: FallbackToLogsOnError {{- if .ProxyInit.SAMountPath }} volumeMounts: -- {{- toYaml .Proxy.SAMountPath | indent 2 | trimPrefix " " -}} +- {{- toYaml .Proxy.SAMountPath | trim | indent 2 | trimPrefix " " -}} {{- end }} {{- end }} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index ce36194a1050d..2636a475e970a 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -98,6 +98,6 @@ volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity {{- if .Proxy.SAMountPath }} -- {{- toYaml .Proxy.SAMountPath | indent 2 | trimPrefix " " -}} - {{- end }} +- {{- toYaml .Proxy.SAMountPath | trim | indent 2 | trimPrefix " " -}} + {{- end -}} {{- end }} diff --git a/charts/partials/templates/_resources.tpl b/charts/partials/templates/_resources.tpl index be4eb4381a7b6..3aa24b9433a0c 100644 --- a/charts/partials/templates/_resources.tpl +++ b/charts/partials/templates/_resources.tpl @@ -3,19 +3,19 @@ resources: {{- if or .CPU.Limit .Memory.Limit }} limits: {{- with .CPU.Limit }} - cpu: {{.}} + cpu: {{. | quote}} {{- end }} {{- with .Memory.Limit }} - memory: {{.}} + memory: {{. | quote}} {{- end }} {{- end }} {{- if or .CPU.Request .Memory.Request }} requests: {{- with .CPU.Request }} - cpu: {{.}} + cpu: {{. | quote}} {{- end }} {{- with .Memory.Request }} - memory: {{.}} + memory: {{. | quote}} {{- end }} {{- end }} {{- end }} From 0c675282a3d64d2cb2412932deb6af8b9a4e13ac Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Wed, 31 Jul 2019 23:13:21 -0700 Subject: [PATCH 34/43] Add values-ha.yaml Signed-off-by: Ivan Sim --- charts/linkerd/values-ha.yaml | 63 +++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 charts/linkerd/values-ha.yaml diff --git a/charts/linkerd/values-ha.yaml b/charts/linkerd/values-ha.yaml new file mode 100644 index 0000000000000..05bd5ab74ae24 --- /dev/null +++ b/charts/linkerd/values-ha.yaml @@ -0,0 +1,63 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values.yaml -f values-ha.yaml + +EnablePodAntiAffinity: true + +# controller configuration +ControllerReplicas: 3 +ControllerResources: &controller_resources + CPU: &controller_resources_cpu + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 50Mi +DestinationResources: *controller_resources +PublicAPIResources: *controller_resources + +# identity configuration +Identity: + Resources: + CPU: *controller_resources_cpu + Memory: + Limit: 250Mi + Request: 10Mi + +# grafana configuration +GrafanaResources: *controller_resources + +# heartbeat configuration +HeartbeatResources: *controller_resources + +# prometheus configuration +PrometheusResources: + CPU: + Limit: "4" + Request: 300m + Memory: + Limit: 8192Mi + Request: 300Mi + +# proxy configuration +Proxy: + Resources: + CPU: + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 20Mi + +# proxy injector configuration +ProxyInjectorResources: *controller_resources +WebhookFailurePolicy: Fail + +# service profile validator configuration +SPValidatorResources: *controller_resources + +# tap configuration +TapResources: *controller_resources + +# web configuration +WebResources: *controller_resources From ecfb4ff8998a09846ab1f4d6fc427f9496a19342 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 10:28:55 -0700 Subject: [PATCH 35/43] Include the service account token mount path only if identity is enabled Signed-off-by: Ivan Sim --- charts/linkerd/values.yaml | 18 ++++-------------- charts/partials/templates/_proxy-init.tpl | 7 ++++--- charts/partials/templates/_proxy.tpl | 11 ++++++++--- 3 files changed, 16 insertions(+), 20 deletions(-) diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index f2000870af947..df1eeb75eb313 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -95,11 +95,11 @@ Proxy: Outbound: 4140 Resources: CPU: - Limit: - Request: + Limit: "" + Request: "" Memory: - Limit: - Request: + Limit: "" + Request: "" UID: 2102 # proxy-init configuration @@ -118,18 +118,8 @@ ProxyInit: Limit: 50Mi Request: 10Mi -# proxy injector configuration -#ProxyInjectorResources: *controller_resources - -# service profile validator configuration -#SPValidatorResources: *controller_resources - -# tap configuration -#TapResources: *controller_resources - # web configuration WebImage: gcr.io/linkerd-io/web -#WebResources: *controller_resources # control plane annotations - do not edit CreatedByAnnotation: linkerd.io/created-by diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 417e608b08d39..39dd27093f2e9 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -40,6 +40,7 @@ securityContext: terminationMessagePolicy: FallbackToLogsOnError {{- if .ProxyInit.SAMountPath }} volumeMounts: -- {{- toYaml .Proxy.SAMountPath | trim | indent 2 | trimPrefix " " -}} -{{- end }} -{{- end }} +- mountPath:{{.Proxy.SAMountPath.MountPath}} + name:{{.Proxy.SAMountPath.Name}} +{{- end -}} +{{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 2636a475e970a..c2b89ed10f119 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -94,10 +94,15 @@ securityContext: readOnlyRootFilesystem: true runAsUser: {{.Proxy.UID}} terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .DisableIdentity) (.Proxy.SAMountPath) }} volumeMounts: +{{- if not .DisableIdentity }} - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - {{- if .Proxy.SAMountPath }} -- {{- toYaml .Proxy.SAMountPath | trim | indent 2 | trimPrefix " " -}} - {{- end -}} +{{- end -}} +{{- if .Proxy.SAMountPath }} +- mountPath:{{.Proxy.SAMountPath.MountPath}} + name:{{.Proxy.SAMountPath.Name}} +{{- end -}} +{{- end -}} {{- end }} From e4a7b99c4458418784fad63588c6d0d7393fc7f8 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 12:10:32 -0700 Subject: [PATCH 36/43] Fixed malformed JSON in linkerd-config config map Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl index a160ef72247ee..6f053890d2dba 100644 --- a/charts/linkerd/templates/_config.tpl +++ b/charts/linkerd/templates/_config.tpl @@ -60,14 +60,14 @@ "limitCpu": "{{.Proxy.Resources.CPU.Limit}}", "requestMemory": "{{.Proxy.Resources.Memory.Request}}", "limitMemory": "{{.Proxy.Resources.Memory.Limit}}" - } + }, "proxyUid": {{.Proxy.UID}}, "logLevel":{ "level": "{{.Proxy.LogLevel}}" }, "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, "proxyVersion": "{{.Proxy.Image.Version}}", - "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}", + "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}" } {{- end -}} From bcbd0c9ea46d2c3abbedc28be982147d22b8ecfe Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 13:59:49 -0700 Subject: [PATCH 37/43] Rename chart to 'linkerd2' Signed-off-by: Ivan Sim --- bin/helm.sh | 8 ++++---- charts/{linkerd => linkerd2}/.helmignore | 0 charts/{linkerd => linkerd2}/Chart.yaml | 2 +- charts/{linkerd => linkerd2}/requirements.lock | 0 charts/{linkerd => linkerd2}/requirements.yaml | 0 charts/{linkerd => linkerd2}/templates/NOTES.txt | 0 charts/{linkerd => linkerd2}/templates/_affinity.tpl | 0 charts/{linkerd => linkerd2}/templates/_config.tpl | 0 charts/{linkerd => linkerd2}/templates/_helpers.tpl | 0 charts/{linkerd => linkerd2}/templates/_validate.tpl | 0 charts/{linkerd => linkerd2}/templates/config.yaml | 0 .../{linkerd => linkerd2}/templates/controller-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/controller.yaml | 0 charts/{linkerd => linkerd2}/templates/grafana-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/grafana.yaml | 0 .../{linkerd => linkerd2}/templates/heartbeat-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/heartbeat.yaml | 0 charts/{linkerd => linkerd2}/templates/identity-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/identity.yaml | 0 charts/{linkerd => linkerd2}/templates/namespace.yaml | 0 .../{linkerd => linkerd2}/templates/prometheus-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/prometheus.yaml | 0 .../templates/proxy-injector-rbac.yaml | 0 .../{linkerd => linkerd2}/templates/proxy-injector.yaml | 0 charts/{linkerd => linkerd2}/templates/psp.yaml | 0 .../templates/serviceprofile-crd.yaml | 0 .../templates/sp-validator-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/sp-validator.yaml | 0 charts/{linkerd => linkerd2}/templates/tap-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/tap.yaml | 0 .../{linkerd => linkerd2}/templates/trafficsplit-crd.yaml | 0 charts/{linkerd => linkerd2}/templates/web-rbac.yaml | 0 charts/{linkerd => linkerd2}/templates/web.yaml | 0 charts/{linkerd => linkerd2}/values-ha.yaml | 0 charts/{linkerd => linkerd2}/values.yaml | 0 35 files changed, 5 insertions(+), 5 deletions(-) rename charts/{linkerd => linkerd2}/.helmignore (100%) rename charts/{linkerd => linkerd2}/Chart.yaml (94%) rename charts/{linkerd => linkerd2}/requirements.lock (100%) rename charts/{linkerd => linkerd2}/requirements.yaml (100%) rename charts/{linkerd => linkerd2}/templates/NOTES.txt (100%) rename charts/{linkerd => linkerd2}/templates/_affinity.tpl (100%) rename charts/{linkerd => linkerd2}/templates/_config.tpl (100%) rename charts/{linkerd => linkerd2}/templates/_helpers.tpl (100%) rename charts/{linkerd => linkerd2}/templates/_validate.tpl (100%) rename charts/{linkerd => linkerd2}/templates/config.yaml (100%) rename charts/{linkerd => linkerd2}/templates/controller-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/controller.yaml (100%) rename charts/{linkerd => linkerd2}/templates/grafana-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/grafana.yaml (100%) rename charts/{linkerd => linkerd2}/templates/heartbeat-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/heartbeat.yaml (100%) rename charts/{linkerd => linkerd2}/templates/identity-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/identity.yaml (100%) rename charts/{linkerd => linkerd2}/templates/namespace.yaml (100%) rename charts/{linkerd => linkerd2}/templates/prometheus-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/prometheus.yaml (100%) rename charts/{linkerd => linkerd2}/templates/proxy-injector-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/proxy-injector.yaml (100%) rename charts/{linkerd => linkerd2}/templates/psp.yaml (100%) rename charts/{linkerd => linkerd2}/templates/serviceprofile-crd.yaml (100%) rename charts/{linkerd => linkerd2}/templates/sp-validator-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/sp-validator.yaml (100%) rename charts/{linkerd => linkerd2}/templates/tap-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/tap.yaml (100%) rename charts/{linkerd => linkerd2}/templates/trafficsplit-crd.yaml (100%) rename charts/{linkerd => linkerd2}/templates/web-rbac.yaml (100%) rename charts/{linkerd => linkerd2}/templates/web.yaml (100%) rename charts/{linkerd => linkerd2}/values-ha.yaml (100%) rename charts/{linkerd => linkerd2}/values.yaml (100%) diff --git a/bin/helm.sh b/bin/helm.sh index 20e61d6c5d2e2..ec72213d1e927 100755 --- a/bin/helm.sh +++ b/bin/helm.sh @@ -10,14 +10,14 @@ rootdir="$( cd $bindir/.. && pwd )" helm lint $rootdir/charts/partials -helm dep up $rootdir/charts/linkerd -helm lint $rootdir/charts/linkerd +helm dep up $rootdir/charts/linkerd2 +helm lint $rootdir/charts/linkerd2 # if tiller is deployed, perform a dry run installation to check for errors if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then echo "Performing dry run installation" - helm install --name=linkerd --dry-run $rootdir/charts/linkerd 2> /dev/null + helm install --name=linkerd --dry-run $rootdir/charts/linkerd2 2> /dev/null echo "Performing dry run installation (HA mode)" - helm install --name=linkerd --dry-run -f $rootdir/charts/linkerd/values.yaml -f $rootdir/charts/linkerd/values-ha.yaml charts/linkerd 2> /dev/null + helm install --name=linkerd --dry-run -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null fi diff --git a/charts/linkerd/.helmignore b/charts/linkerd2/.helmignore similarity index 100% rename from charts/linkerd/.helmignore rename to charts/linkerd2/.helmignore diff --git a/charts/linkerd/Chart.yaml b/charts/linkerd2/Chart.yaml similarity index 94% rename from charts/linkerd/Chart.yaml rename to charts/linkerd2/Chart.yaml index 91ccfe5e4454c..6d3b8b6d05c9e 100644 --- a/charts/linkerd/Chart.yaml +++ b/charts/linkerd2/Chart.yaml @@ -5,7 +5,7 @@ home: https://linkerd.io keywords: - service-mesh kubeVersion: ">=1.12.0-0" -name: "linkerd" +name: "linkerd2" sources: - https://github.com/linkerd/linkerd2/ version: 0.1.0 diff --git a/charts/linkerd/requirements.lock b/charts/linkerd2/requirements.lock similarity index 100% rename from charts/linkerd/requirements.lock rename to charts/linkerd2/requirements.lock diff --git a/charts/linkerd/requirements.yaml b/charts/linkerd2/requirements.yaml similarity index 100% rename from charts/linkerd/requirements.yaml rename to charts/linkerd2/requirements.yaml diff --git a/charts/linkerd/templates/NOTES.txt b/charts/linkerd2/templates/NOTES.txt similarity index 100% rename from charts/linkerd/templates/NOTES.txt rename to charts/linkerd2/templates/NOTES.txt diff --git a/charts/linkerd/templates/_affinity.tpl b/charts/linkerd2/templates/_affinity.tpl similarity index 100% rename from charts/linkerd/templates/_affinity.tpl rename to charts/linkerd2/templates/_affinity.tpl diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd2/templates/_config.tpl similarity index 100% rename from charts/linkerd/templates/_config.tpl rename to charts/linkerd2/templates/_config.tpl diff --git a/charts/linkerd/templates/_helpers.tpl b/charts/linkerd2/templates/_helpers.tpl similarity index 100% rename from charts/linkerd/templates/_helpers.tpl rename to charts/linkerd2/templates/_helpers.tpl diff --git a/charts/linkerd/templates/_validate.tpl b/charts/linkerd2/templates/_validate.tpl similarity index 100% rename from charts/linkerd/templates/_validate.tpl rename to charts/linkerd2/templates/_validate.tpl diff --git a/charts/linkerd/templates/config.yaml b/charts/linkerd2/templates/config.yaml similarity index 100% rename from charts/linkerd/templates/config.yaml rename to charts/linkerd2/templates/config.yaml diff --git a/charts/linkerd/templates/controller-rbac.yaml b/charts/linkerd2/templates/controller-rbac.yaml similarity index 100% rename from charts/linkerd/templates/controller-rbac.yaml rename to charts/linkerd2/templates/controller-rbac.yaml diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd2/templates/controller.yaml similarity index 100% rename from charts/linkerd/templates/controller.yaml rename to charts/linkerd2/templates/controller.yaml diff --git a/charts/linkerd/templates/grafana-rbac.yaml b/charts/linkerd2/templates/grafana-rbac.yaml similarity index 100% rename from charts/linkerd/templates/grafana-rbac.yaml rename to charts/linkerd2/templates/grafana-rbac.yaml diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd2/templates/grafana.yaml similarity index 100% rename from charts/linkerd/templates/grafana.yaml rename to charts/linkerd2/templates/grafana.yaml diff --git a/charts/linkerd/templates/heartbeat-rbac.yaml b/charts/linkerd2/templates/heartbeat-rbac.yaml similarity index 100% rename from charts/linkerd/templates/heartbeat-rbac.yaml rename to charts/linkerd2/templates/heartbeat-rbac.yaml diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd2/templates/heartbeat.yaml similarity index 100% rename from charts/linkerd/templates/heartbeat.yaml rename to charts/linkerd2/templates/heartbeat.yaml diff --git a/charts/linkerd/templates/identity-rbac.yaml b/charts/linkerd2/templates/identity-rbac.yaml similarity index 100% rename from charts/linkerd/templates/identity-rbac.yaml rename to charts/linkerd2/templates/identity-rbac.yaml diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd2/templates/identity.yaml similarity index 100% rename from charts/linkerd/templates/identity.yaml rename to charts/linkerd2/templates/identity.yaml diff --git a/charts/linkerd/templates/namespace.yaml b/charts/linkerd2/templates/namespace.yaml similarity index 100% rename from charts/linkerd/templates/namespace.yaml rename to charts/linkerd2/templates/namespace.yaml diff --git a/charts/linkerd/templates/prometheus-rbac.yaml b/charts/linkerd2/templates/prometheus-rbac.yaml similarity index 100% rename from charts/linkerd/templates/prometheus-rbac.yaml rename to charts/linkerd2/templates/prometheus-rbac.yaml diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd2/templates/prometheus.yaml similarity index 100% rename from charts/linkerd/templates/prometheus.yaml rename to charts/linkerd2/templates/prometheus.yaml diff --git a/charts/linkerd/templates/proxy-injector-rbac.yaml b/charts/linkerd2/templates/proxy-injector-rbac.yaml similarity index 100% rename from charts/linkerd/templates/proxy-injector-rbac.yaml rename to charts/linkerd2/templates/proxy-injector-rbac.yaml diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd2/templates/proxy-injector.yaml similarity index 100% rename from charts/linkerd/templates/proxy-injector.yaml rename to charts/linkerd2/templates/proxy-injector.yaml diff --git a/charts/linkerd/templates/psp.yaml b/charts/linkerd2/templates/psp.yaml similarity index 100% rename from charts/linkerd/templates/psp.yaml rename to charts/linkerd2/templates/psp.yaml diff --git a/charts/linkerd/templates/serviceprofile-crd.yaml b/charts/linkerd2/templates/serviceprofile-crd.yaml similarity index 100% rename from charts/linkerd/templates/serviceprofile-crd.yaml rename to charts/linkerd2/templates/serviceprofile-crd.yaml diff --git a/charts/linkerd/templates/sp-validator-rbac.yaml b/charts/linkerd2/templates/sp-validator-rbac.yaml similarity index 100% rename from charts/linkerd/templates/sp-validator-rbac.yaml rename to charts/linkerd2/templates/sp-validator-rbac.yaml diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd2/templates/sp-validator.yaml similarity index 100% rename from charts/linkerd/templates/sp-validator.yaml rename to charts/linkerd2/templates/sp-validator.yaml diff --git a/charts/linkerd/templates/tap-rbac.yaml b/charts/linkerd2/templates/tap-rbac.yaml similarity index 100% rename from charts/linkerd/templates/tap-rbac.yaml rename to charts/linkerd2/templates/tap-rbac.yaml diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd2/templates/tap.yaml similarity index 100% rename from charts/linkerd/templates/tap.yaml rename to charts/linkerd2/templates/tap.yaml diff --git a/charts/linkerd/templates/trafficsplit-crd.yaml b/charts/linkerd2/templates/trafficsplit-crd.yaml similarity index 100% rename from charts/linkerd/templates/trafficsplit-crd.yaml rename to charts/linkerd2/templates/trafficsplit-crd.yaml diff --git a/charts/linkerd/templates/web-rbac.yaml b/charts/linkerd2/templates/web-rbac.yaml similarity index 100% rename from charts/linkerd/templates/web-rbac.yaml rename to charts/linkerd2/templates/web-rbac.yaml diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd2/templates/web.yaml similarity index 100% rename from charts/linkerd/templates/web.yaml rename to charts/linkerd2/templates/web.yaml diff --git a/charts/linkerd/values-ha.yaml b/charts/linkerd2/values-ha.yaml similarity index 100% rename from charts/linkerd/values-ha.yaml rename to charts/linkerd2/values-ha.yaml diff --git a/charts/linkerd/values.yaml b/charts/linkerd2/values.yaml similarity index 100% rename from charts/linkerd/values.yaml rename to charts/linkerd2/values.yaml From 02be87f12663388ccf7ee87fa98dd772fd5c0ebe Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 14:03:35 -0700 Subject: [PATCH 38/43] Add NOTES.txt Signed-off-by: Ivan Sim --- charts/linkerd2/templates/NOTES.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/linkerd2/templates/NOTES.txt b/charts/linkerd2/templates/NOTES.txt index e69de29bb2d1d..95037b8055bf8 100644 --- a/charts/linkerd2/templates/NOTES.txt +++ b/charts/linkerd2/templates/NOTES.txt @@ -0,0 +1,14 @@ +Linkerd was successfully installed 🎉 + +Add the linkerd CLI to your path with: + + export PATH=\$PATH:\$HOME/.linkerd2/bin + +Now run: + + linkerd check --pre # validate that Linkerd can be installed + linkerd install | kubectl apply -f - # install the control plane into the 'linkerd' namespace + linkerd check # validate everything worked! + linkerd dashboard # launch the dashboard + +Looking for more? Visit https://linkerd.io/2/next-steps From 8781d69467d39a2b8177be1f0f9b0d16b2c9f846 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 14:52:08 -0700 Subject: [PATCH 39/43] Fix incorrect variable path in proxy template Signed-off-by: Ivan Sim --- charts/partials/templates/_proxy.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index c2b89ed10f119..e34fcb796d9d4 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -94,9 +94,9 @@ securityContext: readOnlyRootFilesystem: true runAsUser: {{.Proxy.UID}} terminationMessagePolicy: FallbackToLogsOnError -{{- if or (not .DisableIdentity) (.Proxy.SAMountPath) }} +{{- if or (not .Proxy.DisableIdentity) (.Proxy.SAMountPath) }} volumeMounts: -{{- if not .DisableIdentity }} +{{- if not .Proxy.DisableIdentity }} - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity {{- end -}} From e8592de51a87f2d9c060cc2ad575fde0252df3e4 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Thu, 1 Aug 2019 15:00:39 -0700 Subject: [PATCH 40/43] Remove fake TLS assets Signed-off-by: Ivan Sim --- charts/linkerd2/values.yaml | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index df1eeb75eb313..c5b837e648644 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -27,20 +27,9 @@ Identity: # PEM-encoded certificate CrtPEM: | - -----BEGIN CERTIFICATE----- - MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 - eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI4MjMxODEzWhcNMjAwNzI3 - MjMxODMzWjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j - YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRnMzvjn+4MpDtsLEseoWlBzrF - S0iGBVFLD0mYDbRzHDjCzwAvOA3y884B+UYysCOFS9E5O96Q7ftf3FySFGkHo0Iw - QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC - MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKG6GF0/tRTj9IWH - 3ntw1IpGD3uIxbJjWzl2nVDmqRawAiEAir+H+rVfGWL+UO8EiqtiRSm39hV7qA1g - N1B+Z/vF63s= - -----END CERTIFICATE----- # must match the expiry date in CrtPEM - CrtExpiry: 2020-07-27T23:18:33Z + CrtExpiry: # control plane annotation - do not edit CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry @@ -49,24 +38,8 @@ Identity: # PEM-encoded ECDSA private key KeyPEM: | - -----BEGIN EC PRIVATE KEY----- - MHcCAQEEIGTGK1a6wufBFXuugI9uQ6zQ77TUyMZOvu5DrzAZC++5oAoGCCqGSM49 - AwEHoUQDQgAEkZzM745/uDKQ7bCxLHqFpQc6xUtIhgVRSw9JmA20cxw4ws8ALzgN - 8vPOAflGMrAjhUvROTvekO37X9xckhRpBw== - -----END EC PRIVATE KEY----- TrustAnchorsPEM: | - -----BEGIN CERTIFICATE----- - MIIBhDCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 - eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI4MjMxODEzWhcNMjAwNzI3 - MjMxODMzWjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j - YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRnMzvjn+4MpDtsLEseoWlBzrF - S0iGBVFLD0mYDbRzHDjCzwAvOA3y884B+UYysCOFS9E5O96Q7ftf3FySFGkHo0Iw - QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC - MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKG6GF0/tRTj9IWH - 3ntw1IpGD3uIxbJjWzl2nVDmqRawAiEAir+H+rVfGWL+UO8EiqtiRSm39hV7qA1g - N1B+Z/vF63s= - -----END CERTIFICATE----- TrustDomain: *cluster_domain From 5236069168c6f6f56f3725d6a60b4e1edcbad7a0 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Fri, 2 Aug 2019 09:50:58 -0700 Subject: [PATCH 41/43] Add 'required' constraint to identity trust anchors variable Signed-off-by: Ivan Sim --- bin/helm.sh | 6 +++--- charts/linkerd2/templates/_config.tpl | 2 +- charts/partials/templates/_proxy.tpl | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/helm.sh b/bin/helm.sh index ec72213d1e927..af9786ce31c45 100755 --- a/bin/helm.sh +++ b/bin/helm.sh @@ -11,13 +11,13 @@ rootdir="$( cd $bindir/.. && pwd )" helm lint $rootdir/charts/partials helm dep up $rootdir/charts/linkerd2 -helm lint $rootdir/charts/linkerd2 +helm lint --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 # if tiller is deployed, perform a dry run installation to check for errors if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then echo "Performing dry run installation" - helm install --name=linkerd --dry-run $rootdir/charts/linkerd2 2> /dev/null + helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 2> /dev/null echo "Performing dry run installation (HA mode)" - helm install --name=linkerd --dry-run -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null + helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null fi diff --git a/charts/linkerd2/templates/_config.tpl b/charts/linkerd2/templates/_config.tpl index 6f053890d2dba..915ce44319362 100644 --- a/charts/linkerd2/templates/_config.tpl +++ b/charts/linkerd2/templates/_config.tpl @@ -5,7 +5,7 @@ "version": "{{.LinkerdVersion}}", "identityContext":{ "trustDomain": "{{.Identity.TrustDomain}}", - "trustAnchorsPem": "{{.Identity.TrustAnchorsPEM | replace "\n" "\\n"}}", + "trustAnchorsPem": "{{required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | replace "\n" "\\n"}}", "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}" }, diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index e34fcb796d9d4..ab947da0d7ec5 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -37,7 +37,7 @@ env: value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .Identity.TrustAnchorsPEM | trim | nindent 4 }} + {{- required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | trim | nindent 4 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR From c79c41482c0f613f0b79e454d5435361c21d1168 Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Fri, 2 Aug 2019 13:04:16 -0700 Subject: [PATCH 42/43] Update tap templates per #3167 Signed-off-by: Ivan Sim --- charts/linkerd2/templates/tap-rbac.yaml | 72 +++++++++++++++++++++++-- charts/linkerd2/templates/tap.yaml | 19 +++++-- 2 files changed, 84 insertions(+), 7 deletions(-) diff --git a/charts/linkerd2/templates/tap-rbac.yaml b/charts/linkerd2/templates/tap-rbac.yaml index 8222db6c8e5a7..2e241804e2567 100644 --- a/charts/linkerd2/templates/tap-rbac.yaml +++ b/charts/linkerd2/templates/tap-rbac.yaml @@ -5,7 +5,7 @@ ### --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-tap labels: @@ -23,7 +23,7 @@ rules: verbs: ["list" , "get", "watch"] --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-tap labels: @@ -38,6 +38,22 @@ subjects: name: linkerd-tap namespace: {{.Namespace}} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-{{.Namespace}}-tap-auth-delegator + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -46,4 +62,54 @@ metadata: labels: {{.ControllerComponentLabel}}: tap {{.ControllerNamespaceLabel}}: {{.Namespace}} -{{- end -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-{{.Namespace}}-tap-auth-reader + namespace: kube-system + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: {{ .Namespace }} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{ .CreatedByAnnotation }}: {{ .CliVersion }} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-tap.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: {{.Namespace}} + caBundle: {{ b64enc $ca.Cert }} +{{end -}} diff --git a/charts/linkerd2/templates/tap.yaml b/charts/linkerd2/templates/tap.yaml index 4148dfb798300..96e92af558a33 100644 --- a/charts/linkerd2/templates/tap.yaml +++ b/charts/linkerd2/templates/tap.yaml @@ -22,12 +22,15 @@ spec: - name: grpc port: 8088 targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver --- {{ $_ := set .Proxy "WorkloadKind" "deployment" -}} {{ $_ := set .Proxy "Component" "linkerd-tap" -}} {{ include "linkerd.proxy.validation" .Proxy -}} -apiVersion: apps/v1 kind: Deployment +apiVersion: apps/v1 metadata: annotations: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} @@ -54,8 +57,7 @@ spec: {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: {{- if .EnablePodAntiAffinity -}} - {{- $local := dict "Component" "tap" "Label" .ControllerComponentLabel -}} - {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- include "linkerd.pod-affinity" . | nindent 6 -}} {{- end }} containers: - args: @@ -73,6 +75,8 @@ spec: ports: - containerPort: 8088 name: grpc + - containerPort: 8089 + name: apiserver - containerPort: 9998 name: admin-http readinessProbe: @@ -85,10 +89,17 @@ spec: {{- end }} securityContext: runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} serviceAccountName: linkerd-tap volumes: - - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} + - name: tls + secret: + secretName: linkerd-tap-tls {{- end -}} From 681a921a3dcbdbb513974b25a4f9bb14054ee72e Mon Sep 17 00:00:00 2001 From: Ivan Sim Date: Fri, 2 Aug 2019 13:10:09 -0700 Subject: [PATCH 43/43] Bump default version to edge-19.8.1 due to dependency on RSA support Signed-off-by: Ivan Sim --- charts/linkerd2/Chart.yaml | 2 +- charts/linkerd2/templates/controller.yaml | 2 +- charts/linkerd2/templates/tap.yaml | 3 ++- charts/linkerd2/values.yaml | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/linkerd2/Chart.yaml b/charts/linkerd2/Chart.yaml index 6d3b8b6d05c9e..5630436730afb 100644 --- a/charts/linkerd2/Chart.yaml +++ b/charts/linkerd2/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: "v1" -appVersion: stable-2.4.0 +appVersion: edge-19.8.1 description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. home: https://linkerd.io keywords: diff --git a/charts/linkerd2/templates/controller.yaml b/charts/linkerd2/templates/controller.yaml index ef846573792aa..9e2d85b5f2956 100644 --- a/charts/linkerd2/templates/controller.yaml +++ b/charts/linkerd2/templates/controller.yaml @@ -72,7 +72,7 @@ spec: {{.ControllerNamespaceLabel}}: {{.Namespace}} {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: - {{- if eq .EnablePodAntiAffinity true -}} + {{- if .EnablePodAntiAffinity -}} {{- $local := dict "Component" "controller" "Label" .ControllerComponentLabel -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} diff --git a/charts/linkerd2/templates/tap.yaml b/charts/linkerd2/templates/tap.yaml index 96e92af558a33..7468e2f1ba8a6 100644 --- a/charts/linkerd2/templates/tap.yaml +++ b/charts/linkerd2/templates/tap.yaml @@ -57,7 +57,8 @@ spec: {{- include "partials.proxy.labels" .Proxy | nindent 8}} spec: {{- if .EnablePodAntiAffinity -}} - {{- include "linkerd.pod-affinity" . | nindent 6 -}} + {{- $local := dict "Component" "tap" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} containers: - args: diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index c5b837e648644..be57b65ce8abd 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -8,7 +8,7 @@ EnablePodAntiAffinity: false ImagePullPolicy: &image_pull_policy IfNotPresent # control plane version. See Proxy section for proxy version -LinkerdVersion: &linkerd_version stable-2.4.0 +LinkerdVersion: &linkerd_version edge-19.8.1 Namespace: linkerd OmitWebhookSideEffects: false